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1. Introduction 

The application of formal methods to the analysis of computing systems promises to provide higher and higher 
levels of assurance as the sophistication of our tools and techniques increases. Improvements in tools and 
techniques come about as we pit the current state of the art against new and challenging problems. A promising area 
for the application of formal methods is in real-time and distributed computing. Some of the algorithms in this area 
are both subtle and important. Their proofs are an ideal testing ground for formal methods because they involve 
detailed and sophisticated reasoning which is challenging even for a competent human mathematician. We believe 
that formal methods are already demonstrating that they can make a genuine contribution toward the clarity and 
correctness of these algorithms [15, 3]. 

One important algorithm in this field is the Interactive Convergence Clock Synchronization Algorithm (ICCSA) of 
Lamport and Melliar-Smith [13]. This algorithm maintains approximate synchronization among a number of clocks 
even when the clocks begin running at slightly different times, run at slightly varying rates, and some percentage of 
them may be faulty. The presentation of Lamport and Melliar-Smith both develops the algorithm and states 
formally the assumptions and desired properties required to state and prove its correctness properties. 

A mechanical verification of the algorithm using EHDM was performed by John Rushby and Friedrich von Henke 
and described in [15, 16], The EHDM effort resulted is a completely formal presentation of the algorithm and its 
proof, a presentation which is arguably somewhat clearer and more rigorous than the original published proof. 
Rushby and von Henke challenged users of proof systems other than EHDM as follows. 

We found that EHDM served us reasonably well; we do not know whether other specification and 
verification environments would have fared as well or better. [W]e invite the developers and users of 
other verification systems to repeat the experiment described here. We suggest the Interactive 
Convergence Clock Synchronization Algorithm is a paradigmatic example of a problem where formal 
verification can show its value and a verification system can demonstrate its capabilities; it is a real 
rather than an artificial problem, its verification is large enough to be challenging without being 
overwhelming, it requires a couple of fairly interesting supporting theories, and its proofs are quite 
intricate and varied. 

In response to this challenge and as part of an ongoing attempt to verify an implementation of the Interactive 
Convergence Clock Synchronization Algorithm, we decided to undertake a proof of the correctness of the algorithm 
using the Boyer-Moore theorem proven 

This note describes our approach to proving the ICCSA using the Boyer-Moore proven Since our proof follows 
closely that of Rushby and von Henke, we will not dwell on the details of the proof but assume that the reader is 
familiar with their quite cogent description of the EHDM version of the proof [15]. Instead we concentrate on the 
use of features of the Boyer-Moore logic and theorem prover which were especially helpful in the specification and 
proof and on the differences from the Rushby and von Henke version. We assume that the reader is somewhat 
familiar with the Boyer-Moore logic and theorem prover [4, 7]. We plan to follow this note with another paper 
co-authored by John Rushby comparing and contrasting the EHDM approach and the Boyer-Moore approach. 

This note is organized as follows. The next section introduces briefly the Interactive Convergence Clock 
Synchronization Algorithm and the problem it is designed to solve. Sections 3 and 4 describe some interesting 
aspects of the specification and proof, respectively, and some of the more significant ways in which these differ 
from the EHDM version. Finally, section 5 contains some conclusions from this study. 
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2. The Interactive Convergence Clock Synchronization Algorithm 

A difficult problem facing designers of systems which achieve fault-tolerance via redundant processing capability is 
synchronizing the processors so that they deliver their results at approximately the “same time.” One solution to 
this problem is the Interactive Convergence Clock Synchronization Algorithm of Lamport and Melliar-Smith [13]. 
This algorithm maintains approximate synchronization among a number of clocks even when the clocks begin 
running at slightly different times, run at slightly varying rates, and some percentage of them may be faulty. 

We desire an algorithm in which each processor periodically resynchronizes with all of the other processors in such 
a way that: 

51. all nonfaulty clocks have approximately the same value at any time; and, 

52. the adjustment to any clock during a synchronization period is bounded. 

Proving that any algorithm achieves these two conditions is difficult because it requires accounting for a number of 
continually changing quantities. 1 Lamport and Melliar-Smith were able to prove that the ICCSA algorithm has 
these properties. Their proof is quite detailed involving approximate reasoning and neglect of various terms. 

Conceptually the algorithm operates as follows. Each processor p- maintains an offset or correction to its private 
(hardware) clock; the private clock value plus correction is the adjusted clock value. The correction is periodically 
updated by adding to it the mean of the differences between pjs adjusted clock value and all other processors’ 
adjusted clock values. Any processor p j with adjusted value too divergent from p.’s is assumed to be faulty and a 
difference of 0 between p ’s and p- s clocks is used in computing the mean. 

Though the algorithm is conceptually quite simple, the statement of the correctness properties and their proof is 
complex. The correctness of the algorithm is stated in terms of certain quantities listed in figure 1 and others 
computed in terms of them. The proof shows that under certain conditions on the relationships among these 
parameters, this algorithm does maintain adequate synchronization among n processes with at most m faulty 
processes. Here adequate synchronization is defined in terms of formal statements of conditions SI and S2 above. 
A completely formal description of the algorithm and its correctness conditions is given by Rushby and von 
Henke [15]. Our formalization follows fairly closely the Rushby and von Henke version and is given as the 
sequence of Boyer-Moore “events” in the appendix. In the following two sections we highlight features of the 
Boyer-Moore logic and prover which were particularly helpful in our specification with emphasis on the differences 
from the EHDM version. 


3. Specifying the ICCSA in the Boyer-Moore Logic 


Capturing formally the Interactive Convergence Clock Synchronization Algorithm within the Boyer-Moore logic 
was a challenge despite the fact that we had as a model a fully formal version in EHDM. There are difference in the 
languages which make translating from one to the other nontrivial. In particular, EHDM allows full first order 
quantification and uses higher-order functions in a manner which cannot be specified in the Boyer-Moore logic. 
However, recent additions to the logic— particularly constrain and defn-sk— made our task much easier than 
it otherwise would have been . 


'in fact, a proof of an implementation of the ICCSA algorithm was asserted to be “probably beyond the ability of any current mechanical 
verifier” (14|. 
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n number of clocks. 
m number of faulty clocks. 

R clock time between synchronizations. 

S clock time to perform the synchronization algorithm. 

8 maximum real time skew between any two good clocks, 

5 0 maximum initial real time skew between any two good clocks. 
e maximum real time clock read error, 

p maximum clock drift rate. 

I maximum correction permitted. 

Figure 1: Some Quantities Required for Specifying the ICCSA 


3.1 Computing with Rationals 

The Boyer-Moore logic provides as “primitives” the data types of booleans, naturals, literal atoms, negative 
integers, and lists. Describing the ICCSA and proving its synchronization properties requires the manipulation of 
numerous rational quantities. The Boyer-Moore “shell” mechanism allows the user to add new recursively defined 
data types. The rationals have been added as a new shell and explored to some extent in some previous specification 
efforts. Until recently, however, there has not been a well thought out library of definitions and rewrite rules for 
rationals as have been developed for several other data types [1, 12]. Recently Matt Wilding of CLI has built a 
useful.library for the rationals; this library provided a solid Ti>asis for our proof. 

The rationals library is built on top of an earlier library for the integers. 2 Operations defined include equality, the 
various arithmetic operations on rationals, and the relational operator RLESSP. A number of useful rewrite rules are 
proved about these functions and included in the library. On top of the basis provided by Wilding’s library, we 
defined some additional operations required for the ICCSA specification, such as rational absolute value, operations 
coercing integers to rationals, and arithmetic operadons taking both integer and rational arguments. Proving 
properties of these functions was usually quite easy because the underlying library was well thought-out. This 
contrasts with some earlier proof efforts [2, 9, 17] in which all theories had to be built “from scratch.” 

There are some quirks in dealing with rationals in the logic which are not present for most data types. In particular, 
there are an infinite number of representations for each rational number. This leads to the need to reduce all 
rationals to a canonical form before comparing them. All of the operations in Wilding’s rationals library leave 
rationals in reduced form. 

Rational equality is defined in terms of these reduced forms: 

(DEFN REQUAL (X Y) 

(EQUAL (REDUCE X) (REDUCE Y) ) ) . 

However, since the prover has extensive built-in heuristics for EQUAL, but not for REQUAL, it was convenient to 
open up this definition whenever possible. This leads to a continual need to deal with terms of the form 
(REDUCE X) . Luckily, the rationals library contains an extensive collection of rewrites such as the following two 


2 A rational is represented as a pair of integers ( RAT I ONAL I J ) with appropriate constraints on the signs of i and j. 
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for the RPLUS function which eliminates most appearances of the REDUCE operator. 

(PROVE -LEMMA RPLUS -REDUCE (REWRITE) 

(AND (EQUAL (RPLUS (REDUCE X) Y) 

(RPLUS X Y) ) 

(EQUAL (RPLUS X (REDUCE Y) ) 

(RPLUS X Y) ) ) ) 

(PROVE-LEMMA REDUCE-RPLUS (REWRITE) 

(EQUAL (REDUCE (RPLUS X Y) ) 

(RPLUS X Y) ) ) 


These ubiquitous REDUCE expressions caused one oddity in the specification. The library contains a number of 
rewrite rules such as: 

(PROVE-LEMMA RPLUS-RZEROP (REWRITE) 

(IMPLIES (RZEROP X) 

(AND (EQUAL (RPLUS X Y) (REDUCE Y) ) 

(EQUAL (RPLUS Y X) (REDUCE Y) ) ) ) ) 

However, using this rewrite rule an expression such as 

(EQUAL (RHO) (RPLUS (RHO) (RATIONAL 01))) 
rewrites to 

(EQUAL (RHO) (REDUCE (RHO))) 

which is not provable unless (RHO) is known to be in reduced form, eg., if (RHO) is a constrained constant (see 
section 3.2 below). This led to the need to require that most constrained constants be in reduced form. 

This rather odd but innocuous requirement could be avoided by consistently using requal rather than equal 
whenever referring to rational quantities. However, even with extensive theory development, heuristic reasoning 
support for REQUAL would not equal that available for EQUAL. An experimental facility supporting reasoning with 
congruence relations [8] might have alleviated some of this difficulty but was not used here. 

The utility of the rationals library is greatly enhanced by the addition of several useful metafunctions. 
Metafunctions [5] are user-defined term simplification routines which are proven to preserve the meaning 
(evaluation) of the term to which they are applied. For example, a function in the rationals library “cancels” 
complementary terms in a rationals RPLUS expression. Proving that this function preserves the meaning (value) of 
the term to which it is applied sanctions the installation of this code as an additional simplification routine within the 
prover. The code is installed automatically by the prover upon proof of the required theorems and replaces a 
potentially infinite collection of rewrite rules. 


The collection of metafunctions within the rationals library greatly simplifies reasoning about RPLUS, RTIMES, and 
RLESSP expressions. We added an additional metalemma for the rleq (rationals less than or equal) function. 
This was not strictly necessary since RLEQ is defined in terms of REQUAL and RLESSP. However, to avoid the 
explosion of cases on theorems involving many rleq hypotheses, we decided to develop a theory for RLEQ on top 
of Wilding's rationals library and leave RLEQ disabled (so that it would not be automatically opened up by the 
prover). We are not completely convinced of the wisdom of this decision. 
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3.2 Uses of CONSTRAIN 

As we saw in section 2 above, the ICCSA is described in terms of a large number of integer and rational-valued 
parameters; these are conceptually global constants for purposes of the specification. There is a sizable collections 
of assumptions about the relative sizes of these quantities. In the Rushby and von Henke specification, these are 
given as EHDM axioms. Within the Boyer-Moore logic there are various options for how to introduce these 
constants into the specification: 

• pass them as parameters to each function requiring them and add the assumptions as explicit 
hypotheses on each theorem requiring them; 

• define each constant as a declared function of no arguments and add any required assumptions as 
axioms; 

• use the Boyer-Moore constrain [6] mechanism to introduce the constants as new function symbols 
and introduce the assumptions axiomatically within the CONSTRAIN. 

The advantage of this final approach is that it guarantees that the introduced axioms are consistent without cluttering 
up definitions and theorems with a multitude of additional parameters and hypotheses. Moreover, using a 
CONSTRAIN event to introduce a new function symbol avoids the overspecification often occasioned by 
introducing functions via explicit definitions; only the required properties of the function need be specified. 

A CONSTRAIN event introduces one or more function symbols along with axioms which they must satisfy. To 
guarantee the consistency of the axioms, the user must supply witness functions which satisfy the axioms. For 
example, we model the function A® that computes the difference in clock values between processes p and q in 
period i, with the CONSTRAIN event: 

(CONSTRAIN DELTA2 -INTRO (REWRITE) 

(AND (RATIONALP (DELTA2 R P I) ) 

(EQUAL (DELTA2 P P I) (RATIONAL 01)) 

(IMPLIES (NOT (NUMBERP I)) 

(EQUAL (DELTA2 R P I) 

(DELTA2 R P 0) ) ) 

(EQUAL (REDUCE (DELTA2 P Q I)). 

(DELTA2 P Q I))) 

( (DELTA2 (LAMBDA (RPI) (RATIONAL 01) ))) ) 

This asserts that the newly introduced function DELTA2 is rational-valued, returns zero as the difference from a 
process’s own clock value, always coerces it’s third argument to a natural number, and returns a rational in reduced 
form. 3 We also supply a function which satisfies these axioms, namely the function of three arguments which 
always returns rational zero. A constrain event is not accepted unless the axioms, appropriately instantiated 
with the witness functions, can be proved. This assures the consistency of the axioms by exhibiting a model. 

Most of the constant parameters of our specification are introduced in a single large CONSTRAIN event 
PARAMETERS -INTRO given in Figure 2. It might have been better to introduce these via several different 
CONSTRAIN events. In that case, it could have been more difficult to find appropriate witness functions, however. 

A very strong advantage of introducing the various parameters in this way is that their names and properties become 
“globally” visible. This allows us to give our theorems in a succinct form very close to those of the EHDM 
representation. Figure 3, for example, shows the same lemma in both its EHDM form 4 and in the Boyer-Moore 
logic. 


^is is not a minimal set. The first axiom follows from the fourth one. 

4 Forms in [15] were pretty printed using a special facility described in that report; raw input to EHDM is much less elegant. The version here 
is in the prettified formal. 



(CONSTRAIN PARAMETERS-INTRO (REWRITE) 

;; Rand S 

(AND (RATIONALP (R) ) 

(RATIONALP (S)) 

(RLESSP (RATIONAL 0 1) (R) ) 

(RLESSP (RATIONAL 0 1) (S) ) 

(RLEQ (RTIMES (RATIONAL 31) <S) ) (R) ) 

;; rho 

(RATIONALP (RHO)) 

(RLEQ {RATIONAL 0 1) 

{RTIMES {RATIONAL 1 2) (RHO)}) 

{RLESSP (RTIMES {RATIONAL 1 2) (RHO)) 

{RATIONAL ID) 

;; olher parameters 

(RATIONALP (EPSILON)) 

(RATIONALP (DELTA) ) 

(RATIONALP (DELTAO) ) 

(RATIONALP (BIG-SIGMA) ) 

{RATIONAL? (BIG-DELTA) ) 

(NUMBERP (N) ) 

(NOT (EQUAL (N) 0)) 

(NUMBERP (M) ) 

(LESSP (M) (N) ) 

(RLESSP (RATIONAL 0 1) (BIG-DELTA)) 

(RLEQ (BIG-SIGMA) (S) ) 

(RLEQ (BIG-DELTA) (BIG-SIGMA) ) 

(RLEQ (RPLUS (DELTA) 

(RPLUS (EPSILON) 

(RTIMES (RATIONAL 1 2) 

(RTIMES (RHO) (S) > ) ) ) 

(BIG-DELTA) ) 

(RLEQ (RPLUS (DELTAO) (RTIMES (RHO) (R) ) ) 

(DELTA) ) 

(RLEQ 

(RPLUS 

(RTIMES (RATIONAL 2 1) 

(RPLUS (EPSILON) (RTIMES (RHO) (S) > ) ) 

(RPLUS (RQUOTIENT-NAT 

(RTIMES-NAT (TIMES 2 (M) ) (BIG-DELTA)) 
(DIFFERENCE (N) (M) ) ) 

(RPLUS 

(RQUOTIENT-NAT 

(RTIMES-NAT <N) (RTIMES (RHO) (R) ) ) 
(DIFFERENCE (N) (M) ) ) 

(RPLUS (RTIMES (RHO) (BIG-DELTA) ) 
(RQUOTIENT-NAT 

(RTIMES-NAT (N) (RTIMES (RHO) 

(BIG-SIGMA) ) ) 
(DIFFERENCE (N) (M) )))))) 


(DELTA) ) ) 

< (R (LAMBDA () (RATIONAL 31))) 

(S (LAMBDA {) (RATIONAL 11))) 
(RHO (LAMBDA () (RATIONAL 01))) 
(EPSILON (LAMBDA 0 (RATIONAL 0 

(DELTA (LAMBDA () (RATIONAL 0 

(DELTAO (LAMBDA O (RATIONAL 0 

(BIG-SIGMA (LAMBDA {) (RATIONAL 1 

(BIG-DELTA' (LAMBDA () (RATIONAL 1 

(N (LAMBDA () 1)) 

(M (LAMBDA () 0)))) 


1) )) 
1 ) )) 
1 ) ) ) 

2 ) ) ) 
2 ))) 


;;po*S 
;; Cl 


;; rho_poi 
;; rho_small 


;;C0 a 
;; C0J> 

;;CO c 
;;C2 
;;C3 
;;C4 



Figure 2: CONSTRAIN Introducing ICCSA Parameters 
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The EHDM Version: 
leinmaldaf : Lemma 

SIC [p,q,i) a S2 (p, i) a nonf aulty (p, i + 1) a nonfaulty (q.i + 1) 3 | | < A 


The Boyer-Moore Version: 

(PROVE-LEMMA LEMMA 1 (REWRITE) 

(IMPLIES (AND (SIC P Q I) 

(S2 P I) 

(NONFAULTY P (ADD1 I)) 

(NONFAULTY Q (ADD1 I))) 

(RLESSP (RABS (DELTA2 Q P I) ) (BIG-DELTA)))) 


Figure 3: EHDM and Boyer-Moore Versions of the Same Lemma 


3.3 DEFN-SK 

Another relatively new feature of the logic which proved useful was the DEFN-SK facility [11] which allows the 
introduction of quantified expressions into the specification. Several important constructs in the Rushby and von 
Henke version were defined via quantification. Earlier versions of the Boyer-Moore logic could not express many 
of these conveniendy. In particular, to prove an existential existential statement required exhibiting a witness 
constructively. 

A DEFN-SK event allows the definition of an explicidy quantified term and the use of this term in other definitions 
and theorems. For example, the notion of a good clock (within the interval [T 0 ..r N ]) is defined by Rushby and von 
Henke as: 5 

goodclock: function[proc, clocktime, clocktime -» bool] = 

(kp,T 0 ,T N : 

(V T lt T 2 : 

T 0 <, Tj a T 0 le T 2 a Tj le T N a T 2 le T N 
= \c p { Tl ).c p (J 2 ).{T r T 2 )\ 

< p/2 * ir r r 2 i)) 


Our definition is given by the DEFN-SK event: 


5 Noiice thai this definition is from the revised specification. The first published version had “<” where the current version has “S". This has 
the rather curious consequence that there are no good clocks in a system in which the parameter p which gives the maximum clock drift rate is 
zero. Intuitively, this means that if all docks arc perfect no docks are good. 
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(DEFN-SK+ GOOD-CLOCK (P LOW HIGH) 

(FORALL (Tl T2) 

(IMPLIES (AND (IN-INTERVAL T1 LOW HIGH) 

(IN-INTERVAL T2 LOW HIGH)) 

( RLEQ (RABS (RPLUS (CLOCK P Tl) 

(RPLUS (RNEG (CLOCK P T2) ) 

(RPLUS (RNEG TI) T2) ) ) ) 
(RTIMES (RATIONAL 1 2) 

(RTIMES (RHO) 

(RABS (RPLUS Tl (RNEG T2 ) )))))>)) 


A DEFN-SK event causes two axioms to be added to the database; these two axioms corresponding to the 
skolemization of the event in each “direction” and together allow us to use an instance of a quantified expression 
appearing in a hypothesis to a theorem and to prove an instance appearing as the conclusion. The macro version 
DEFN-SK+ of the event also causes these axioms to be encapsulated and proved as rewrite rules. For 
GOOD-CLOCK these two theorems are shown in figure 4. See [11] for details on how these are generated and a 
proof of the soundness of the approach. 


(PROVE-LEMMA GOOD-CLOCK-SUFF (REWRITE) 
(IMPLIES 
(IMPLIES 


(AND (IN-INTERVAL (Tl HIGH LOW P) LOW HIGH) 

(IN-INTERVAL (T2 HIGH LOW P) 

LOW HIGH)) "riL-rr ' " • • ' : 

(RLEQ (RABS (RPLUS (CLOCK P (Tl HIGH LOW P)) 

(RPLUS (RNEG (CLOCK P (T2 HIGH LOW P) ) ) 
(RPLUS (RNEG (Tl HIGH LOW P) ) 

(T2 HIGH LOW P) ) ) ) ) 


(RTIMES (RATIONAL 1 2) 
(RTIMES (RHO) 


(GOOD-CLOCK P LOW HIGH) ) ) 


(RABS (RPLUS (Tl HIGH LOW P) 

’ (RNEG (T2 HIGH LOW P) )))))) 


(PROVE-LEMMA GOOD-CLOCK-NECC (REWRITE) 
(IMPLIES 

(NOT (IMPLIES 


(AND (IN-INTERVAL Tl LOW HIGH) 

(IN-INTERVAL T2 LOW HIGH)) 

(RLEQ (RABS (RPLUS (CLOCK P Tl) 

(RPLUS (RNEG (CLOCK P T2) ) 

(RPLUS (RNEG Tl) T2)))) 
(RTIMES (RATIONAL 1 2) 

(RTIMES (RHO) 

(RABS (RPLUS Tl (RNEG T2) )))))) ) 
(NOT (GOOD-CLOCK P LOW HIGH) ) ) ) 



Figure 4: Theorems Generated for a DEFN-SK+ Event 


Use of defn SK allows us to define concepts involving quantifiers in a fashion which is very analogous to their 
EHDM counterparts. However, we did not always find this convenient. For example, Rushby and von Henke 
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define SDEF as follows: 


Sdef: Axiom 7 e = (3 ri: 0 < FI a IT £ /? a 7= 7^ + n) 

A close analogue in the Boyer-Moore logic using DEFN-SK would be: 

(DEFN-SK+ SDEF (TM I) 

(EXISTS PI 

(AND (RLEQ (RATIONAL 0 1) PI) 

(RLEQ PI (S) ) 

(EQUAL (REDUCE TM) 

(RPLUS (TI I) (RPLUS (RDIFFERENCE (R) (S) ) PI))))) 


However, we found the following definition to be more convenient and to eliminate an unnecessary existential 
quantifier. 

(DEFN IN-S (TM I) 

(IN- INTERVAL TM 

(RDIFFERENCE (TI (ADD1 I)) (S) ) 

(TI (ADD1 I)))) 


This illustrates that often the use of one style of definition is more “natural” in a given logic even when others 
styles are available. It is not surprising then that some of our definitions were quite different than the corresponding 
EHDM versions. However, we believe them to be equivalent in all relevant aspects. As an exercise, we proved the 
lemma which shows the equivalence of the definitions SDEF and IN-S. 

(PROVE-LEMMA SDEF-IN-S -EQUIVALENCE () 

(IFF (SDEF TM I) (IN-S TM I))) 


Using CONSTRAINS and DEFN-SKs, we were able to write theorems which are textuaily very close to the EHDM 
versions in most cases. It is evident from the two versions of LEMMA1 listed in Figure 3 that, except for minor 
textual differences, there is very little difference in the presentation of theorems in the two logics. This was the rule 
rather than the exception for the lemmas required in our proof. ■ 

3.4 Avoiding Higher Order Functions 

The ability within EHDM to define higher order functions is a definite benefit from the perspective of writing clear 
and elegant specifications. However, many of the uses of higher order functions can be avoided by careful use of 
facilities available within the Boyer-Moore logic, this was true of each of the uses of the EHDM higher order 
facilities in the ICCSA specification. 

As an example, consider the mean function defined by Rushby and von Henke as follows: 

*3: function[nat, nat, function [nat -» number] -» number] = 

Qd,j, F: if i <j then LJ- F/(j + 1 - 1 ) else 0 end if). 

Notice that one parameter to this definition is a function F. From this definition, Rushby and von Henke prove a 
number of quite general lemmas. 


There is not a similar facility within the Boyer-Moore logic though many of the advantages of such higher order 
definitions are available via other routes. For example, our version of the MEAN is defined as follows: 
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(DEFN RSUM (LST) 

(IF (NLISTF LST) 

(RATIONAL 0 1) 

(RPLUS (CAR LST) (RSUM (CDR LST) ) ) ) ) 

(DEFN RMEAN (LST) 

(RQUOTIENT-NAT (RSUM LST) (LENGTH LST) ) ) 

Rather than parameterizing rmean with a function, we parameterize it with a list of elements returned by the 
function. This is conceptually equivalent and we can prove all of the nice properties of the EHDM version. Most of 
the interesting properties are really properties of RSUM rather than of rmean. 

This style of trivial transformation is not the only way to deal with higher order functions and properties in the logic. 
An interpreter is available for the logic which permits reasoning about functions at the meta-level. Also, it is 
possible to “fake” higher-order properties in other ways. We have checked the proof, for example, that there is no 
algorithm which solves a certain version of the Byzantine General’s problem. [3] This is inherently a second order 
property. 


4. Aspects of the Proof 
4.1 Restraining the Prover 

Our proof of ICCSA was somewhat atypical in several ways of most proofs using the Boyer-Moore prover in 
several ways. Rushby and von Henke had done much of the difficult work of finding a sequence of lemmas leading 
up to the proofs of the desired correctness theorems. Moreover, because of the way the EHDM prover operates, the 
collection of lemmas necessary for a given proof are displayed along with their specific instantiations. Given this 
information, constructing a formal proof is largely a matter of intelligent simplification and tautology checking. 6 

A proof in the Boyer-Moore theorem prover typically relies more on the prover’s heuristics to choose among 
previously proven lemmas and instantiate them correctly. However, the prover can be used in a more restrained 
fashion by disabling most functions and rewrite rules and using the prover as a simple proof checker. This is done 
by enabling only those lemmas known to be relevant and adding USE hints to specify particular instantiations of the 
variables in needed lemmas. This was the approach we followed in our proof of the ICCSA; most functions apd 
lemmas were globally disab led. We also made use of an experimental feature for encapsulating the names of a 
group of events into a “theory” which can be enabled or disabled collectively. Figure 5 shows a particular lemma 
in our script which is an example of the use of USE hints, selective enabling, and theory enabling to obtain the proof. 

4 2 Order of Steps in the Proof 

The Boyer-Moore prover allows very little flexibility in the order of steps in a proof. Each function must be fully 
defined or constrained before it is used; each lemma must be proven before it can be used in proofs. For definitions 
this means that there is no genuine mutual recursion 7 For proofs it means that the proof is presented (though not 
necessarily discovered) in a very “bottom-up" style. This approach guarantees that there are no circularities in the 
proof. 

EHDM does not impose such a limited ordering on the steps in the proof. To assure that there are no circularities in 


*1116 EHDM proof of ICCSA used only the EHDM ground prover. [15] 

7 There is a standard way to gain (lie effects of mutual recursion by defining several "functions'* within one and using a flag to distinguish 
among them. [7] Also, there is an available read macro for the prover which turns a list of mutually recursive definitions into an event of this 
type. (10] 
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{LEMMA SUBLEMMA-A (REWRITE) 

(IMPLIES (AND (NONFAULTY P I) 

(NONFAULTY Q I) 

(IN-R TM I) ) 

(RLEQ (SKEW P Q TM I) 

(RPLUS (SKEW P Q (TI I) I) 

(RTIMES (RHO) (R) ) ) ) ) 

( (USE (REARRANGE-ALT (X (CPI TM) ) 

(Y (C Q I TM) ) 

(U (C P I (TI I))) 

(V (RPLUS TM (RNEG (TI I)))) 

(W (C Q I (TI I)))) 

(LEMMA2D (PI (RPLUS TM (RNEG (TI I))))) 

(LEMMA2D (P Q) (PI (RPLUS TM (RNEG (TI I)))))) 

(ENABLE-THEORY REDUCTIONS) 

(ENABLE SKEW RDIFFERENCE RNEG-RPLUS C-REDUCE T I -NEXT RABS-POSITIVE2 
RPLUS -RLEQ-REWRITE RPLUS -RLEQ-REWRITE2 RLEQ -RTIMES -HACK 
IN-R IN-INTERVAL RHO-RLEQO RLEQ-TRANSITIVE RLEQ-RPLUS-HACK3 
RLEQ- HALF -RPLUS RLEQ-RTIMES-HACK RPLUS -RLEQ-REWRITE) ) ) 


Figure 5: Proof of SUBLEMMA-A Showing USE Hints 


the resulting proof, a tool called the EHDM Proof Chain Analyzer is run over the final proof and checks for 
circularities. In the proof of ICCSA there is a circularity in the proof of the main theorem THEOREM1. This is 
explained as follows: 

This circ ular ity is apparent, rather than real, as it occurs in the context of an inductive proof, in which the 
th eorem is used for i in the part of the proof that extends it to i + 1. We are working towards 
constructing a proof description that reflects this induction step more straightforwardly. [15] 

Unfortunately, determining whether such a circularity is apparent or real requires a fairly deep understanding of the 
proof. The Boyer-Moore approach does not allow even an apparent circularity but the cost is a much more 
regimented approach to proof presentation. 

As an interesting aside, just as Rushby and von Henke had to deal with the structure of the inductive proof of 
THEOREMl in EHDM, we had to confront the same issue in the Boyer-Moore system. We could approach it either 
by defining an appropriate induction schema to make available the required inductive hypotheses (the typical 
approach in the Boyer-Moore system) or by using another approach altogether. Defining an appropriate induction 
schema would have been difficult because the inductive hypothesis was really required in the proof of a large 
subsidiary lemma CULMINATION. We would have needed to prove THEOREMl and CULMINATION 
simultaneously by packaging them into one lemma. This trick is used often in the Boyer-Moore proven Our 
solution was again somewhat atypical and illustrates a clever (we think) use of DEFN-SK. 

THEOREMl has form: 

(PROVE-LEMMA THEOREMl (REWRITE) 

(IMPLIES (S1A I) (SIC P Q I))) 

We introduced the DEFN-SK event below to define the structure of the theorem: 
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(DEFN-SK THE0REM1 -ONE-STEP (I) 
(FORALL (P Q) 

(IMPLIES (S1A I) 

(SIC P Q I) ) ) ) 


Notice that this is parameterized by i. Asserting (THEOREMl -ONE-STEP I) is equivalent to asserting that 
THEOREMl holds through period i. Wherever the EHDM approach used THEOREMl in the proof, we simply 
asserted THEOREMl -ONE -STEP as an additional hypothesis on the lemma, as in CULMINATION below: 

(PROVE-LEMMA CULMINATION (REWRITE) 

(IMPLIES 

(AND (S1A (ADD1 I)) 

(SIC P Q I) 

(NONFAULTY P (ADD1 I)) 

(NONFAULTY Q (AD01 I)) 

(IN-R TM (ADD1 I)) 

(THEOREMl -ONE-STEP I)) 

(RLEQ (SKEW P Q TM (AD01 I)) 

(RPLUS 

(RQUOTIENT-NAT 

(RPLUS 

(RTIMES-NAT (M) 

(RPLUS (DELTA) 

(RTIMES (RATIONAL 2 1) (BIG-DELTA)))) 

(RTIMES-NAT (DIFFERENCE (N> (M) ) 

(RTIMES (RATIONAL 2 1) 

(RPLUS (EPSILON) 

(RPLUS (RTIMES (RHO) (S) ) 

(RTIMES (RATIONAL 1 2) 

(RTIMES (RHO) (BIG-DELTA) ))))))) 

(N)) 

(RPLUS (RTIMES (RHO) (R) ) 

(RTIMES (RHO) (BIG-SIGMA) )))))). 


This m ade available, in the proof of CULMINATION exactly the instance of THEOREMl required tn that proof. We 
then used CULMINATION in the proof (by induction on i) of th e le mma: 


(PROVE-LEMMA THEOREMl -VS RS I ONI (REWRITE) 



CULMINATION IS used 


tie proof of the induction step, its THEOREMl -ON-STEP hypothesis being relieved 
the Inductive hypothesis. “theoremI follows straightforwardly from THEOREMl -VERSION1. this 
indicates again the utility of DEFN-SK in adding clarity and proof power. ™ 


4.3 Proof Encapsulation 

The Boyer-Moore logic has no convenient way of structuring a specification and proof into a collection of 
“modules.” This is largely dictated by the requirement that the specification and proof be presented in a very 
“bottom up” fashion. A collection of related units may be grouped together in the script, but there is no formal 
mechanism within the logic of encapsulating them into a module or structure of any sort This is not often a 
problem but makes a large script somewhat harder to browse effectively. 

In contrast, EHDM has a simple but useful structuring mechanism. Related units are grouped into modules. 
Modules implement a style of information hiding by making visible only certain declarations within an 
EXPORTING section. Modules gain access to one another by including a USING section. 
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4.4 Syntax 

The Boyer-Moore logic is sometimes criticized for its Lisp-like syntax. This syntax has the advantage of being 
uniquely-readable (unambiguous) and very easily parsed. It has the disadvantage of being different from traditional 
mathematical syntax. Several papers have described proofs in the Boyer-Moore logic using a more traditional 
syntax; however, these may mislead a prospective user o f the theorem prover. We feel that the small effort of 
learning a new syntax is well rewarded by gaining access to a powerful proof tool. 

EHDM has reaped the benefits of both a readily parsable syntax and a more familiar “display” syntax by 
implementing a table driven translator from standard EHDM syntax into a LaT E X format. This gives a nice 
customizable syntax for presentation which Rushby and von Henke claim “enabled us to do most of our work using 
compact and familiar notation and thereby contributed greatly to our productivity” [15]. We believe that this 
overstates the value of this “compact and familiar notation.” 

Our experience with attempting a similar translator for the Boyer-Moore logic is that it is counterproductive to try to 
integrate such a translator with a theorem prover which uses a different syntax for its internal representation, proof 
diagnostics, and output script. If the translation could be entirely transparent to the user, there would be no 
difficulty. However, users of mechanical proof tools often need to be aware of the details of the internal 
representation of rewrite rules, the particular transformations on terms that they effect, and other things which are 
most efficiently expressed in a syntax which is close to that used by the machine. When this is no longer true, then 
syntax will not be an issue. Until then, we feel that the need to continually deal with two different forms is 
confusing and unnecessary. 

Another problem of the EHDM translator is that the notation is not always compact and familiar. For example, we 
found the expression 

p*dxn-ffi//i, 

(which appears in a number of lemmas) to be impossibly confusing until we realized that the term n-m is treated as 
though it were grouped. Here the apparent familiarity of the syntax is detrimental because the expected precedence 
rules are not observed with the result that the expression is unnecessarily confusing. This is probably a simple flaw 
in the translator table. But it points up the difficulty of having the correctness of a published proof rely not only on 
the prover and proof chain analyzer, but also on another tool which translates from one notation to another in a 
moderately complex fashion. 

5. Conclusions 

There are a number of other differences between the Boyer-Moore and EHDM versions of the ICCS A proofs which 
will be covered in the (soon to be written) detailed comparison of the two versions. 

We believe that the exercise of specifying and proving the ICCSA using the Boyer-Moore prover was useful in 
several ways. 

• It exercised and further displayed the value of a number of the newer features of the Boyer-Moore 
logic and their support in the theorem prover. These features include the CONSTRAIN and DEFN-SK 
events. 

• It provided the basis for a comparison with the EHDM system and a style of proof possible within that 
system. This aspect will lead to a joint paper comparing the two systems on this problem. 

• It provided a verified specification of the Interactive Convergence Clock Synchronization algorithm as 
a basis for possible future work building toward a verified implementation. 

We believe that two important goals of proof are to increase one’s understanding and intuition about the content and 
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significance of a theorem, and to provide a convincing argument that it is, in fact, valid. Mechanically supported 
proofs like those in EHDM and ours contribute to both of these goals. We understand this quite subtle algorithm 
and the reason it works much better for the effort Moreover, our success in convincing a congenitally skeptical 
mechanical proof checker of the validity of the correctness theorems practically guarantees that we have eliminated 
any errors which the much touted "social process” might overlook. Such confidence is particularly comforting in 
domains such as this where a well-developed intuition is difficult to cultivate; the theorem prover is not subject to 
being misled by the urgings of a misguided or ill-informed intuition. 
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Appendix 

The ICCSA Event List 

This appendix contains the Boyer-Moore event list representing the specification and proof of the Interactive 
Convergence Clock Synchronization Algorithm. It does not contain the entire proof since it is built “on top of’ a 
standard library of integer facts. For brevity we have also not included the collection of definitions and lemmas 
defining the natio nals library on which our proof is constructed. The complete script is available on request. 

LEMMA events are macro expanded into a PROVE-LEMMA followed by a DISABLE. 

;; LENGTH 

(defn length (x) 

(if (nlistp x) 

0 

(addl (length (cdr x])))) 

(prove-lemma length-append (rewrite) 

(equal (length (append x y)) 

(plus (length x) (length y) ) ) ) 

(lemma length-0 (rewrite) 

(equal (equal (length x) 0) 

(nlistp x) ) ) 

PLISTP 

(defn plistp (x) 

(if (nlistp x) 

(equal x nil) 

(plistp (cdr x) ) ) ) 

(defn plist (x) 

(if (nlistp x) 
nil 

(cons (car x) (plist (cdr x) ) ) ) ) 

;; FIRSTN snd RESTN 

(defn firstn (1st n) 

(if (zerop n) 
nil 

(cons (car 1st) 

(firstn (cdr 1st) (subl n) ) ) ) ) 

(lemma firstn-n (rewrite) 

(implies (equal n (length 1st)) 

(equal (firstn 1st n) 

(plist 1st) ) ) ) 

(lemma firstn-append-lessp (rewrite) 

(implies (leq m (length 1st)) 

(equal (firstn (append 1st lst2) m) 

(firstn 1st m) ) ) ) 

(defn restn (1st n) 

(if (zerop n) 

1st 

(restn (cdr 1st) (subl n)))) 

(lemma restn-n (rewrite) 

(implies (and (plistp 1st) 

(equal n (length 1st))) 

(equal (restn 1st n) nil)) 

((enable restn))) 


(lemma restn-1 (rewrite) 

(implies (lessp m 1) 

(equal {restn (list x) m) 

(list x) ) ) 

{ (enable restn) ) ) 

(lemma restn-append (rewrite) 

(Implies (leq n (length lstl)) 

(equal (restn (append lstl lst2) n) 

(append (restn lstl n) lst2))) 

( (enable restn) ) ) 

(lemma f irstn-append-restn (rewrite) 

(implies (leq m (length 1st)) 

(equal (append (firstn 1st m) 

(restn 1st m) } 

1st))) 

;; RATTONALS WITH NATURALS 

(defn rinverse-nat (n) 

(reduce (rational 1 (fix n) ) ) ) 

(lemma reduce-rinverse-nat (rewrite) 

(equal (reduce (rinverse-nat n) ) 

(rinverse-nat n) ) 

( (enable reduce-reduce) ) ) 

(defn rtimes-nac (i r) 

(rtimes (rational (fix i) 1) r)) 

(defn rtimes-nac2 (r i) 

(rtimes r (rational (fix i) 1))) 

(lemma reduce-rtimes-nat (rewrite) 

(and (equal (reduce (rtimes-nat x y)) 

(rtimes-nat x y ) ) 

(equal (reduce (rtimes-nat2 x y) ) 

(rtimes-nat2 x y) ) ) 

((enable rtimes-nat rtimes-nat2) 

(enable-theory reductions) ) ) 

(lemma rt imes-nat-rtimes-nat2 (rewrite) 

(equal (rtimes-nat2 x y) 

(rtimes-nat y x) ) 

{(enable rtimes-nat rtimes-nat2 commutativi ty-of-rtimes) ) ) 

(lemma rneg-rtimes-nat (rewrite) 

(equal (rneg (rtimes-nat i r) ) 

(rtimes-nat 1 (rneg r) ) ) 

((enable rtimes-nat rneg-rtimes) 

(disable correctness-of-cancel-rneg-terms-from-equality) ) ) 

(defn rquotient-nat (r i) 

(rtimes r (rinverse-nat i))) 

(lemma rneg-rquotient-nat (rewrite) 

(equal (rneg (rquotient-nat r n) ) 

(rquotient-nat (rneg r) n) ) 

((enable rquotient-nat rneg-rtimes 
rneg-rtimes2) ) ) 

(disable rinverse-nat) 

(disable rtimes-nat) 

(disable rtimes-nat2) 

(disable rquotient-nat) 

(lemma rtimes-nat-addl (rewrite) 

(equal (rtimes-nat (addl i) r) 

(rplus r (rtimes-nat i r) ) ) 

((enable rtimes-nat rtimes-addl ) ) ) 


(lemma c t imes-nat-zerop (rewrite) 

(implies (zerop i) 

(equal (rtimes-nat i r) 

(rac ional 0 1) ) ) 

((enable rcimes-nat rzerop-rt imes) ) ) 

(lemma rinverse-nat-positive (rewrice) 

(rleq (rational 0 1) 

(rinverse-nac n) ) 

({enable rinverse-nac numberp-inverse-nonnegative 
rleq-reduce) ) ) 

(lenuna rabs-rinverse-nat (rewrice) 

(equal (rabs (rinverse-nac n) ) 

(rinverse-nac n}) 

({enable rabs-posicive2 rinverse-nac-posicive 
reduce-rinverse-naO ) ) 

(lemma rquocient-nat-rt imes-nat (rewrice) 

(implies (noc (zerop n) ) 

(equal (rquocienc-nac (rcimes-nat n x) n) 

(reduce x) ) ) 

((enable rcimes-inverse rcimes-nac rquocienc-nac 

rinverse-nac nzerop-denominacor-reduce) ) ) 

(lemma rcimes-nac-rquocienc-nac (rewrice) 

(implies (noc (zerop n)) 

(equal (rcimes-nac n (rquocienc-nac x n) ) 

(reduce x) ) ) 

{(enable rcimes-inverse rcimes-nac rquocienc-nac rinverse-r.ic 
nzerop-denominacor-reduce commutat ivity-of-rtimes 
commutat i vie y2-of-r times rationalize-invert rtimes-1)}) 

(lemma rquotienc-nac-rplus (rewrice) 

(equal (rquotienC-naC (rplus x y) n) 

(rplus { rquocient-nac x n) 

(rquocienc-nac y n))) 

{(enable rquoCient-nat rt imes-rplus-right-dist ributivity) ) ) 

(lemma div-mon2 (rewrite) 

(implies (and (rleq x y) 

(not (zerop z) ) ) 

(rleq (rquotient-nat x z) 

(rquotient-nat y z))) 

{{enable rquocient-nac rcimes-right-cancelUtion rinverse-nac 
nzerop-denominacor-reduce reciprocal-positive) ) ) 

(lemma rationaiize-rleq2 (rewrite) 

(implies (noc (zerop n) ) 

(rlessp (rational 0 1) (rational n 1))) 

{{enable rleq rlessp fix-rational ilessp rational? 
integerp) ) ) 

(lemma rtimes-nat2-posit ive-preserves-rleq (rewrite) 

(implies (and (not (zerop n) ) 

(rleq (rtimes-nat2 x n) 

(rtimes-nat2 y n) ) ) 

(rleq x y) ) 

((enable rt imes-right-cancellat ion rcimes-nat2 rat iona_lize-rleq2) .) ) 

;; RSUM snd RMEAN 

(defn rsum (1st) 

(if (nliscp 1st) 

{rational 0 1) 

(rplus (car 1st) 

(rsum (cdr 1st) ) ) ) ) 


(disable rsum) 

(lemma reduce-rsum (rewrice) 

(equal (reduce (rsum 1st) ) 
(rsum 1st) ) 

((enable reduce-rplus rsum))) 


(lemma rplus-csum (rewrite) 

(equal (rplus (rsum Lstl) (rsum lst2) ) 

(rsum (append lstl lst2))) 

( (enable rsum rplus-rzerop reduce-rsum 
associativity-of-rplus) ) ) 

(lemma rsum-append (rewrite) 

(equal (rsum (append lstl lst2)) 

(rplus (rsum lstl) (rsum lst2)}) 

((enable associativity-of-rplus rsum rplus-rzerop 
reduce-rsum) ) ) 

(defn rmeart (1st) 

( rquot lent -nat (rsum 1st) (length 1st))) 

(defn all-rlessp (1st x) 

(if (nliszp 1st) 
t 

(and (rlessp (car 1st) x) 

(all-rlessp (cdr 1st) x)))) 

(lemma all-rlesso-append (rewrite) 

(equal {all-rlessp (append x y) z) 

(and (all-rlessp x z) 

(all-rlessp y z) ) ) 

((enable all-rlessp))) 

(lemma all-rlessp-rleq-t ransit ive (rewrite) 

(implies (and (all-rlessp 1st x) 

( rleq x y) ) 

(all-rlessp 1st y) ) 

{ (enable rlessp- rleq-t ransit ivtty ) ) ) 

(lemma sum-bound (rewrite) 

(implies (and (listp 1st) 

(all-rlessp 1st x) ) 

(rlessp (rsum 1st) 

(rtimes-nat (length 1st) x))) 

((enable all-rlessp rsum rt imes-nat-zerop 

rtimes-nat-addl rlessp-rleq rplus-rzerop 
rlessp-reduce rlessp-rplus-pair) ) ) 

(lemma nzerop-inverse-positive (rewrite) 

(implies (not (zerop n) ) 

(RLESSP (RATIONAL 0 I) 

(RATIONAL In))) 

((enable rlessp rationalp fix-rational ilessp) ) ) 

(lemma mean-bound (rewrite) 

;; if all of the elements in the list are less than x, 

;; then the mean of the list is less than x 
(implies (and (listp 1st) 

(all-rlessp 1st x) ) 

(rlessp (rmean 1st) x) ) 

( (use (sum-bound) ) 

(enable rlessp-invert-rtimes rinverse-numberp- inverse 
nzerop-inverse-positive length-0 rtimes-nat 
nzerop-denominator-reduce rquotient-nat rinverse-nac) ) ) 


;; MAP-RABS 

(defn map-rabs (1st) 

(if (nlistp 1st) 
nil 

(cons (rabs (car 1st) ) 

(map-rabs (cdr 1st))))) 

(lemma length-map-rabs (rewrite) 

(equal (length (map-rabs 1st)) 

(length 1st) ) ) 

(lemma map-rabs-append (rewrite) 

(equal (map-rabs (append x y) ) 

(append (map-rabs x) (map-rabs y) ) ) ) 


{lemma pi istp-map-rabs {rewrite) 

(plistp {map-rabs 1st)) 

((enable map-rabs plistp))) 

(lemma plist-map-rabs (rewrite) 

(equal (plist (map-rabs x) ) 

(map-rabs x) ) 

{{enable map-rabs plist))) 

(lemma rabs-rsum-map-rabs (rewrite) 

(rleq (rabs (rsum 1st)) 

(rsum (map-rabs 1st))) 

((enable rsum rabs-rplus-hack) ) ) 

(lemma abs-mean (rewrite) 

;; the abs of the mean is leq the mean of the absolute values 
(rleq (rabs (rmean 1st) ) 

(rmean {map-rabs 1st))) 

((enable rabs-rtimes rtimes-rleq2 rabs-rsum-map-rabs 

rlnverse-nat-posit lve rquotient-nat rzerop-rcimes 
rabs-rinverse-nat length-map-rabs) ) ) ” ~ - 

(lemma listp-map-rabs (rewrite) 

{equal (listp (map-rabs x) ) 

(listp x) ) ) 

;; REARRANGE LEMMAS 

(lemma rearrange! (rewrite) 

(equal (rdifference x y) 

(rplus (rdifference x (rplus u v)) 

(rplus (rdifference (rplus w z) y) 

(rdifference (rplus u v) (rplus w z) > ) ) ) 

((enable rdifference rneg-rplus associat ivity-of-rpius reduce - meg )) > 

(lemma rabs-negation-equality-hack (rewrite) 

(equal (rabs (rplus y (rplus (rneg w) (meg z)))) 

(rabs (rplus w (rplus z (rneg y) ) ) ) ) 

((use (rabs-rneg (x (rplus y (rplus (rneg w) (rneg z)))))) 

(enable commutat ivity-of-rplus commutativity2-of-rplus 
rplus-reduce rneg-rneg rneg-rplus) ) ) 

(lemma rearrange2-translt ivity (rewrite) 

(implies 

(rleq (rabs (rplus x (rneg y) ) ) 

(rplus (rabs (rplus x (rplus (rneg u) (rneg v)))) 

(rplus (rabs (rplus u 

(rplus v (rplus (rneg w) (rneg {))))} 

(rabs (rplus w (rplus z (rneg y) )))))) 

(rleq (rabs (rplus x (rneg y) ) ) 

(rplus (rabs (rplus x (rplus (rneg u) (rneg v) ) ) ) 

(rplus (rabs (rplus y (rplus (rneg w) (rneg z ) ) ) ) 

(rabs (rplus u 

(rplus v 

(rplus (rneg w) (rneg x))))))))) 

{ (use (rleq-transitlve 

(x (rabs (rplus x (rneg y) ) ) ) 

(y (rplus (rabs (rplus x (rplus (rneg u) (rneg v) ) ) ) 

(rplus (rabs (rplus u (rplus v (rplus (rneg w) (rneg *))))> 

(rabs (rplus w (rplus z (rneg y))))))) 

(z (rplus (rabs (rplus x (rplus (rneg u) (rneg v) ) ) ) 

(rplus (rabs (rplus y (rplus (rneg w) (rneg z) ) H 

(rabs (rplus u (rplus v (rplus (rneg w) (pneg z))H)))H) 

(enable rabs-negation-equality-hack 

rleq- reflexive commutat ivity 2 -of -rplus 
commutativity-of-rplus rleq-reduce rplus-cancel) ) ) 

(lemma rearrange2 (rewrite) 

(rleq (rabs (rplus (rdifference x (rplus u v) ) ^ ; 

(rplus " (rdifference (rplus w z) y) 

(rdifference (rplus u v) (rplus w z))))) 

(rplus (rabs (rdifference x (rplus u v) ) ) 

(rplus (rabs (rdifference y (rplus w z))) 

(rabs (rplus u (rdifference v (rplus w xHHJ))'" ‘ 


{{use (rabs-rplus-r leq2 {x {rdifference x (rpius u v) ) ) 

(y (rdifference (rpius u v) (rpius w z ) ) ) 

(z (rdifference (rpius w z) y) ) ) 

(rabs-rneg (x (rdifference (rpius w z) y) ) ) ) 

(enable rplus-reduce rneg-rneg rdifference 
reduce- rneg associativity-of- rpius 
rneg-rplus rdifference rearrange2-t ransitivity) ) ) 

{lemma rearrange (rewrite) 

(rleq (rabs {rdifference x y ) ) 

(rpius (rabs (rdifference x (rpius u v) ) ) 

(rpius {rabs (rdifference y (rpius w z))) 

(rabs (rpius u (rdifference v (rpius w z))))))) 

({use (rearrangel) (rearrange2) ) ) ) 

(lemma rearrange-alt (rewrite) 

(rleq (rabs (rpius x (rneg y))} 

(rpius (rabs (rpius x (rneg (rpius u v) ) ) ) 

(rpius (rabs (rpius u (rneg w))) 

(rabs (rpius y (rneg (rpius w v))))))) 

((use (rearrange (z v) ) ) 

(enable rplus-reduce rneg-rneg reduce-rneg 

associativity-of-rplus rneg-rplus rdifference commutativity-of-rplus))) 

(lemma rearrange! (rewrite) 

(rleq (rabs (rdifference x y) ) 

(rpius (rabs (rdifference u y) ) 

(rpius (rabs (rdifference v x) ) 

(rpius (rabs (rdifference v w) ) 

(rabs (rdifference u w) ) ) ) ) ) 


{(use (rabs-rplus-rleq3 (x (rpius u (rneg y))) 

(y (rpius x (rneg v) ) ) 

(z (rpius v (rneg w) ) ) 

(w (rpius w (rneg u) ) ) } 

(rleq-transitive 
(x (rabs (rpius x (rneg y) ) ) ) 

(y (rabs (rpius (rpius u (rneg y)|_ 

(rpius (rpius x (rneg v) ) 

(rpius (rpius v (rneg w)) 

(rpius w (rneg u) ) ) ) ) ) ) 

(z (rpius (rabs (rpius u (rneg y) ) ) 

(rpius (rabs (rpius v (rneg x) ) ) 

(rpius (rabs (rpius v (rneg w) ) ) 

(rabs (rpius u (rneg w) ))))>))) 
(enable rplus-reduce rneg-rneg reduce-rneg 

rabs-rdif ference associative ty-of-rplus rneg-rplus 
rdifference commutat ivicy-of-rplus rleq-reflexive) ) ) 


(lemma rearranged (rewrite) 

(rleq (rabs (rdifference (rpius a x) (rpius by))) 

(rpius (rabs (rdifference a b) ) 

(rpius (rabs x) (rabs y) ) ) ) 

((use (rab^-rplus-rleq2 (x (rpius a (rneg bi ) ) (y x) (z (rneg y ) ) ) ) 

(enable rdifference commutativity-of-rplus commutativity2-of-rplus 
associativity-of-rplus rabs-rneg rneg-rplus))) 

;; REARRANGE-DELTA from module JUGGLE 

(lemma rearrange-delta-stepl nil 

(implies (and (not (zerop i)) 

(rleq (rpius x (rpius y (rpius z (rpius w v> ) ) ) d) ) 

(rleq (rpius (rtimes-nac2 x i) 

(rpius (rtimes-nat2 y i) 

(rpius (rtimes-nat2 z i) 

(rpius (rtimes-nat2 w i) 

(rtimes-nat2 v !))>>) 

(rtimes-nat2 d i) ) ) 

((enable rleq requal rtimes-nat2 rtimes-rplus-right-factorizacion 

rlessp-ant 1 symmetric rlessp-t ricbotomy rational ized-non-zerop-rlessp) 
(enable-theory reductions))) 
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(lemma rearrange-del ta-scep2 nil 
(implies (and (lessp m n) 

(rleq x (rtimes-nat2 d (difference n m) ) ) ) 

(rleq (rplus (rcimes-nat2 d m) x) (rtimes-nat2 d n) ) ) 

((enable rtimes-nac2 rzecop-rt imes rplus-rzerop rleq-reduce 

rtimes-distributes-over-pius rplus-cancel rt imes-rzerop) ) ) 

(lemma rearrange-deita-step3 nil 

(implies (and (not (zerop i)) 

(rleq { rplus x (rplus y (rplus z (rplus w (rplus v u) ))'))■ 

(rtimes-nat2 d 1) ) ) 

(rleq (rplus ( rquot ienc-nat x i) 

(rplus {rquotient-nat y t) 

(rplus (rquotient-nat z i) 

(rplus (rquotient-nat w i) 

(rplus (rquotient-nat v i) 

(rquotient-nat u 
d) ) 

((enable rtim es-n at2 rzerop-rcimes rplus -rzerop rleq- reduce 

rquotient-nat rtimes- rplus- right -factorization rplus-cancel 
rtimes-rzerop rlnverse-nat nzerop-denominator-reduce 
rtimes-multiply-by-r inverse r inverse -numberp- inverse 
nzerop-inverse-positive) ) ) 

(lemma rearrange-delta-step4 (rewrite) 

(equal (rplus (rquotient-nat x n) 

(rplus (rquotient-nat y n) 

(rplus (rquotient-nat z n) 

(rplus w (rplus { rquot ient-nat u n) v))))) 

(rplus (rquotient-nat (rplus x (rplus y (rplus z u))) n) 

(rplus w v) ) ) 

((enable associat ivity-of-rplus commutativizy-of-rplus reduce-rt imes 
commutat ivicy2-of-rplus rquotient-nat rinverse-nat 
rtimes-rplus-right -factor! zat ion) ) ) 

(lemma rearrange-delta-stepS (rewrite) 

(equal (rplus (rtimes-nat m d) 

(rplus (rtimes-nat y (rtimes (rational 2 1) (rplus e *})) 

(rplus (rtimes-nat (plus m m) w) (rtimes-nat y x) ) ) ) 

(rplus (rtimes-nat m (rplus d (rtimes (rational 2 1) w) ) ) 

(rtimes-nat y 

(rtimes (rational 2 1) 

(rplus e (rplus z (rtimes (rational 1 2) x))))))) 

({enable-theory reductions) 

(enable rtimes-nat associativity-of-rpius 

rtimes-distributes-over-rpius commutativity-of-rtimes 
commutativity2-of-rtimes ha!f3 

commutat ivity-of-rplus commutat ivlty2-of-rpius 
rtimes-distributes-over-plus rt lmes2-expand) ) ) 

(lemma rearrange-delta (rewrite) 

(implies (and (lessp m n) 

(numberp m) 

(rleq (rplus (rtimes (rational 2 1) (rplus epsilon (rtimes ri*Q s) ) ) 

(rplus (rquotient-nat (rtimes-nat (times 2 m) big-delta) 

(di f ference n m> } 

(rplus (rquotient-nat (rtimes-nat n (rtimes rho r) ) 

(di f ference n m) ) 

(rplus (rtimes rho big-delta) — 

(rquotient-nat ~ T ' T I 

(rtimes-nat n (rtimes rho big-sigma)) 
(difference n «)))))) 


delta) ) 


(rleq ( rplus (rquotient-nat 
{rplus 

(rtimes-nat m 

(rplus delta 

(rtimes (rational 2 1) big-delta))) 

(rtimes-nat 
(difference n m) 

(rtimes (rational 2 1) 

(rplus epsilon 

(rplus (rtimes rho s) 

(rtimes (rational 1 2) 

(rtimes rho big-delta))))))) 
n) 

(rplus (rtimes rho r) 

(rtimes rho big-sigma))) 


delta) ) 

((use (rearrange-delta-stepl 
(d delta) 

(i (difference n m) ) 

(x (rtimes (rational 2 1) 

(rplus epsilon (rtimes rho s) ) ) ) 

(y (rquot ient-nat (rtimes-nat (times. 2 m) big-delta) 

(di f ference n m) ) ) 

(z (rquotient-nat (rtimes-nat n (rtimes rho r) ) 

(difference n m) ) } 

(w (rtimes rho big-delta) ) 

(v (rquotient-nat (rtimes-nat n (rtimes rho big-sigma)) 

(difference n m) ) ) ) 

(rear range-del ca-step2 
(x 

(rplus 

( rtimes-nat2 (rtimes (rational 2 1) 

(rplus epsilon (rtimes rho s))) 

(di f ference n m) ) 

(rplus (reduce (rtimes-nat (times 2 m) big-delta)) 

(rplus (reduce (rtimes-nat n (rtimes rho r) ) ) 

(rplus (rcimes-nat2 (rtimes rho big-delta) 

(difference n m) ) 

(reduce (rtimes-nat n 

(rtimes rho big-sigma}})))))) 

(d delta) ) 

(rearrange-delta-step3 

(in) 

(d delta) 

(x (rtimes-nat2 delta m) ) 

(y (rtimes-nat2 (rtimes (rational 2 1) 

(rplus epsilon (rtimes rho s) ) ) 

(difference n m) ) ) 

(z (rtimes-nat (times 2 m) big-delta)) 

(w (rtimes-nat n (rtimes rho r) ) ) 

(v (rtimes-nat2 (rtimes rho big-delta) 

(difference n m) ) ) 

(u (rtimes-nat n 

(rtimes rho big-sigma))))) 

(enable rtimes-nat-rquot ient-nat rt imes-nat-rtimes-nat2 
reduce- rtimes-nat 

rquot ient-nat -rtimes-nat rear range-del ta-step4 rearrange-delta-stepS) 
(enable-theory reductions) ) ) 


;; THE INTERACTIVE CONVERGENCE ALGORITHM PROOF 

(constrain parameters-intro (rewrite) 

;; R and S 

(and (rationalp (R) ) 

{rationalp (S) ) 

(rlessp (rational 0 1) (R) ) «po*R 

(rlessp (rational 0 1) (S) ) ;;po*S 

(rleq (rtimes (rational 3 1) (S)) (R) ) ;;C1 

;; rho 

(rationalp (rho)) 

(rleq (rational 0 1) (rtimes (rational 1 2) (rho))) ;; rho_poi 

(rlessp (rtimes (rational 1 2) (rho)) ;; rho — i*na 

( rational ID) 


(epsilon) ) 
(delta) ) 
(deltaO) ) 
(big-sigma) ) 
(big-delta) ) 


0 ) ) 


; other parameters 
(rat ionalp 
(rationalp 
(rat ionalp 
(rationalp 
(rationalp 
(numberp (n) ) 

(not (equal (n) 

(numberp (m) ) 

(lessp (m) (n) ) 

(rlessp (rational 0 1) (big-delta)) 

(rleq (big-sigma) (s) ) 

(rleq (big-delta) (big-sigma)) 

(rleq (rplus (delta) 

(rplus (epsilon) 

(rtimes (rational 1 2) 
(rtimes (rho) 


(s))))) 


;;CO_« 
;;C0 J> 

;;C0.c 
;;C2 
;;C3 
;; C4 


(big-delta) ) 

(rleq (rplus (deltaO) (rtimes (rho) (R) ) ) <* C5 

(delta) ) 

(rleq (rplus (rtimes (rational 2 1) m c6 

(rplus (epsilon) (rtimes (rho) (S) ) ) ) 

(rplus (rquotient-nat (rtimes-nat (times 2 (m) ) (big-delta)) 

(diffe rence (n) <m) ) > 

(rplus (rquotient-nat (rtimes-nat (n) (rtimes (rho) (*)J) 

(difference (n) (m) ) ) 

(rplus (rtimes (rho) (big-delta)) 

(rquotient-nat 

(rtimes-nat (n) (rtimes (rho) (blg-sigma))) 
(difference (n) (m) )))))) 


(delta) ) ) 

{{R (lambda () (rational 31))) 

(S (lambda O (rational 1 1))) 

(rho (lambda 0 (rational 01))) 
(epsilon (lambda () (rational 0 1))) 
(delta (lambda () (rational 0 IUJ_ 

(deltaO (lambda () (rational 0 1))) 

(big-sigma (lambda {) (rational 1 2))) 
(big-delta (lambda () (rational 1 2)>) 
(n (lambda ( ) 1) ) 

(m (lambda () 0)))) 


(lemma big-sigma-positive (rewrite) 

(rlessp (rational 0 1) (big-sigma)} 4 

((use (rlessp-rleq-transitivity (x (rational 01)) (y (big-delta)) it tbig-sigma) ) ) ) I) 


(lemma S-rleq (rewrite) 

(and (rlessp (rational 0 1) (S)) 

(rleq (rational 0 1) (S) ) ) 

((use (rlessp-rleq (x (rational 0 1)) (y is)))))) 


(lemma c5 (rewrite) 

(rleq (rplus (deltaO) (rtimes (rho) (r))) (delta))) 

;; This is just s part of parameters -intro isolated so that E could USE it more 
;; conveniently. 


(lemma c6 


(rewrite) 
(rleq (rplus 


(rtimes (rational 2 1) 
(rplus (rquotient-nat 


(delta) ) 

((use (parameters- 


(rplus (epsilon) (rtimes (rho) (S}))) 
(rtimes-nat (times 2 (m) ) (big-delta)) 
(difference in) (a ) ) ) 

(rplus (rquotient-nat (rtimes-nat (n) (rtimes (rho) fell) 

(di f ference (n) («) ) ) 

(rplus (rtimes (rho) (big-delta) ) 

(rquotient-nat 

(rtimes-nat (n) (rtimes (rho) (big-sigma))) 
(difference (n) (m) ) ) ) ) ) > 

intro))}) 


( lemma Si n R (rewrit e ) 

(rlessp (S) (R) ) 

({enable rtimes3-r lessp) ) ) 
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(constrain TO-intco (rewrite) 

(racionalp (T0>) 

((TO (lambda 0 (rational 0 1))))) 

(defn Ti (i) ? v 

(rplus (TO) (rtimes-nat 1 (R) ) ) ) 


(disable ti) 


(lemma ti-zarop (rewrite) 
(implies (zerop i) 

(equal (ti 1) 
((enable ti cplus-rzerop 


(reduce (tO) ) ) ) 
rtimes-nat-zerop) ) ) 


(lemma ci-next (rewrite) 

(equal (ti (addl 1) ) 

(rplus (tl i) (R) ) ) 

((enable commutativi ty-of-rplus ti rtimes-nat-addl 
commut at ivity 2-o f- rplus 
rplus-reduce) ) ) 

(lemma not-numberp-ti (rewrite) 

(implies (not (numberp i)) 

(equal (ti i) (t i 0) ) ) 

((enable ti rtimes-nat-zerop))) 

;; We use a different but equivalent notion of Rdef. The Rushby approach uses 
;; an unnecessary existential quantifier. 


(defn-sk* Rdef 
(exists 


(tm i) 

pl 

(and (rleq (rational 0 1) pi) 
(rleq pi (R) ) 

(equal (reduce tm) (rplus 


(ti i) pi))))) 


(defn in-incerval (tm low high) 

(and (rleq low tm) 

(rleq tm high) ) ) 

(disable in-interval) 

(lemma in-interval-lnclusion (rewrite) 

(implies (and (in-interval y low x) 

(in-intervaL x low high)) 
(in-interval y Low high)) 
((enable rleq-transitive in-interval))) 

(defn in-R (tm i) ..... 

(in-interval tm (Ti 1) (ti (addl i)))) 

(lemma no t- numberp- in-c (rewrite) 

(implies (not (numberp U) 

(equal (in-r tm 1) 

(ln-r cm 0) ) ) 

((enable in-r not-numberp-ti))) 


(disable ln-r) 

;; This shows that the two definitions of Rdef are equivalent Subsequently, we won't 
U bother with Rushby ’s definition. 


(prove-lemma Rdef-in-R-equivalence () 

(iff (Rdef tm 1) 

(in-R tm i) ) 

((use (rdef-necc) . 

(rdef-suff (pi (rplus tm (rneg (ti 1)))))) 

(enable in-interval rdifference rleq-rdif ference3 in-r 

rleq-rdi f ference4 ti-next rieq-rplus rplus-preserves-rleq) 
(do-not-induct t) ) ) 

;; Again, the Rushby definition is quite different but we prove below 
;; the equivalence of the two. 
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(defn-s!c* Sdef (tm i) 

{exists pi 

(and { rleq (rational 0 L) pi) 

(rleq pi (S) ) 

(equal (reduce tm) (rplus (ti i) (rplus (rdifference (R) (S) ) pi))))}) 

(defn in-S (tm i) 

(in-interval tm 

(rdifference (Ti {addl i)) (S) ) 

(Ti (addl i) ) ) ) 

(disable tn-s) 

(lemma sdef-in-s-equivalence-case3 (rewrite) 

(implies (and (equal (rplus (s) tm) 

(rplus (ti i) 

(rplus (r) (pi-1 i tm}})) 

(rleq (pi-1 i tm) (s) ) 

(rleq (rational 0 1) (pi-1 i tm) ) ) 

(rleq tm (rplus (ti i) (r) ) ) ) 

((use (rleq-rplus (z tm) (y (rplus (ti 1) (r))) (x (rdifference (s) (pi-l i tm ) ) ) ) ) 

(enable reduce-cplus rdifference comrautativity-of-rpius 
commut at i vi ty 2-o f- rplus associativity-of-rplus 
rieq-rdi f ference-rzero) ) ) 

(lemma sdef-equi valence-hack (rewrite) 

(implies (rleq tm (rplus (ti i) (r) ) ) 

(rleq (rplus tm 

(rplus ( meg (ti i)) (meg (r)))J 
(rational 0 1 ) ) ) 

((enable-theory reductions) 

(enable rleq requal))) 

(prove-lemma Sdef-in-S-equivalence () 

(iff (Sdef tm i) 

(in-S tm i) ) 

((use (sdef-necc) 

(sdef-suff (pi (rdifference tm (rplus (ti i) (rdifferenee (r) (*))))))) 
(enable-theory reductions) 

(enable in-s in-interval rdifference associativity-of-rpius 

rleq-rplus ti-next sdef-in-s-equivalence-case3 sdef-equi valence-heck 
rleq-rplus-hack rneg-rplus cneg-cneg rdifference rleq-rplus-hack2U ) 

(lemma inRS (rewrite) 

(implies (in-S tm i) 

(in-R tm i)) 

((enable rdifference sinr rlessp-rdif fecence2 in-s in-r in-interval 
associativity-of-rplus commutativity-of-rplus ti-next) 

(use (rplus-preserves-rleq3 
(x (ti U) 

(y cm) 

[z (rplus (r) (rneg < s) ))))))) 

(lemma Ti-in-S (rewrite) 

Un-S (Ti (addl i)) i) 

( (enable-theory reductions) 

(enable in-s in-interval rdifference ti-next rleq requal 

associacivity-of-rplus riessp-rleq s-rleq rleq-reflexlve) ) ) 

(lemma in-S-lemma (rewrite) 

(Implies (and (in-S cl i) 

(in-S t2 i)) 

(rleq (rabs (rdifference tl t2) ) (S))) 

((use (betweenness-distance (pi tl) (p2 t2) 

(low (rplus (ti i) (rplus (r) (me? (s)))H 

(high (rplus (ti i) (r))))) 

(enable in-s in-interval rdifference rne g- rplus rneg- rneg reduce- rneg 
ti-next associativity-of-rplus rleq-transitive rebs-positlvel 
rleq-reduce rleq-reflexive s-rleq))) 
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(lemma in-S-lemma2 (rewrite) 

(Implies (and (In-S tl 1) 

(in-S t2 i) > 

(rleq (rabs (rplus tl (rneg t2))) ($) ) ) 

((use (in-s-lemma) ) 

(enable rdl f ference) ) ) 

(constrain clock-intro (rewrite) 

(rationalp (clock p ct)) 

((clock (lambda (x y) (rational 0 1))))) 

(lemma rho-rleqO (rewrite) 

(rleq (rational 0 1) (rho)) 

({use (rtimes-rleq (x (rational 12)) (y (rho)))))) 

(defn-sk+ good-clock (p low high) 

;; This says that p’s dock is good within the interval (low, high) 

;; where rho is the maximum dock drift rate. 

(forall (tl 1 2 ) 

(implies (and (in-interval tl low high) 

(in-interval t2 low high)) 

(rleq (rabs (rplus (clock p tl) 

(rplus (rneg (clock p t2)) 

(rplus (rneg tl) t2> ) ) ) 
(rtimes (racional 1 2) 

(rtimes (rho) 

(rabs (rplus tl (rneg t2) )))))))) 

;; Delta2 is the function which reads the difference between the docks of r and p 

;; in period L If either of r or p is not a process, then ail bets are off. 

(constrain delta2-intro (rewrite) 

(and (rationalp (delta2 r p D) 

(equal (delta2 p p i) (rational 0 1)) 

(implies (not (numberp U) 

(equal (delta2 r p i) 

(del ta2 r p Q)J) 

(equal (reduce (delta2 p q i ) ) 

(delta2 pqi))) 

( (delta2 (lambda (r p i) (rational 0 1))))) 

(defn d2-bar (r p i) 

(if (and (not (equal r p) ) 

(rlessp (rabs (delta2 r p i)) (big-delta))) 

(delta2 r p i) 

(rational 0 1) ) ) 

(disable d2-bar) 

;; This assumes that processes are numbered from l..(n). 

(defn d2-bar-list (n p i) 

(if (zerop n) 
nil 

(cons (d2-bar n p i) (d2-bar-list (subl n) p i)))) 

(lemma length-d2-bar-list (rewrite) 

(equal (length (d2-bar-list n p i ) ) 

(fix n) ) ) 

(defn d2-bar-mean (n p i) 

(rmean (d2-bar-list n p i))) 

(disable d2-bar-mean) 

(defn deltal (p 1) 

(d2-bar-mean (n) p i)) 


(disable deltal) 


(lemma non-numberp-d2-bar-list (rewrite) 
(implies (not (numberp i > ) 

(equal (d2-bar-list n p i) 

(d2 -bar-list n p 0)) ) 

( (enable deltal d2-bar) ) ) 

(lemma non-numberp-deltal (rewrite) 

(implies (not (numberp i) ) 

(equal (deltal p i) 

(deltal p 0) ) ) 

{(enable deltal non-numberp-d2-bar-list 
d2-bar-mean) ) ) 


(constrain corrO-intro (rewrite) 

(and (rational? (corrO) ) 

(equal (reduce (corrO) ) (corrO) ) ) 
((corrO (lambda () (rational 0 1))))) 


(defn corr (p i) 

(if (zerop i) 

(corrO) 

(rplus (corr p (subl i)) 

(deltal p (subl i) ) ) ) ) 


(lemma corr-addl (rewrite) 

(equal (corr p (addl i)) 

(rplus (corr p i) .(cieital p i) ) ) 
((enable non-numberp-deltal corr))) 


(defn adjusted (p 1 tm) 

(rplus tm (corr pi))) 


(disable adjusted) 

(lemma adjusted-zero (rewrite) 

(equal (adjusted p 0 tm) 

(rplus tm (corrO))) 

{(enable adjusted))) 

(lemma ad justed-reduce (rewrite) 

(equal (adjusted p i (reduce tm) ) 
(adjusted p i tm) ) 

((enable adjusted rplus-reduce) ) ) 

(lemma not -numberp- ad justed (rewrite) 
(implies (not (numberp U) 

(equal (adjusted p 1 tm) 

(adjusted p 0 tm) ) ) 
((enable adjusted))) 


(lemma adjusted-rplus (rewrite) 

(equal (adjusted p i (rplus x y) ) 

(rplus (adjusted p i x) y)) 
({enable adjusted associat ivity-of-rplus 
commutativity-of-rplus) ) ) 


(defn c (p i tm) 

(clock p (adjusted p i tm) ) ) 

(disable c) 

(lemma clock-prop (rewrite) 

(equal (c p (addl i) tm) 

(c p i (rplus tm (deltal p i)))) 

( (enable c adjusted corr non-numberp-deltal 

associativity-of-rplus commut;ativity-of-rplu*) ) ) 

(lemma c- reduce (rewrite) 

(equal (c p i (reduce tm) ) 

(c p i tm) ) 

((enable c ad justed-reduce) ) ) 



(lemma c-commutatlvity (rewrite) 

(equal (c p i (rplus y x) ) 

(c p i (rplus x y))) 

( (enable commutativity-of-rplus) ) ) 


(lemma d2-bar-prop (rewrite) 

(rlessp (rabs (d2-bar p q U) 
((enable d2-bar))) 


(big-delta) ) 


(defn skew (p q tm i) 

(rabs (rdifference (c p i tm) 

(c q i tm) ) ) ) 


(disable skew) 

(lemma not-numberp-skew (rewrite) 

(implies (not (numberp i)) 

(equal (skew p q tm i) 

(skew p q tm 0) ) ) 

((enable skew c not-numberp-ad justed) ) ) 

‘ deCn "good-clock^p 1 '( ad justed p 0 (ti 0)) (adjusted p i (ti (add! !))))> 

(lemma not -numberp- non faulty (rewrite) 

(implies (not (numberp i)) 

(equal (nonfaulty p i) 

(nonfaulty p 0) ) ) 

((enable nonfaulty not-numberp-ad justed) ) ) 

(defn faulty (p i) 

(not (nonfaulty pi))) 

(disable nonfaulty) 

<defn-sk+ S1A (i) 

(forall r ....... 

(Implies (and (leq (addl (m) ) r) 

(leq r (n) ) ) 

(nonfaulty r i) ) ) ) 

(defn-sk+ SIC (p q i) 

(forall tm . .. 

(implies (and (nonfaulty p i) 

(nonfaulty q i) 

(in-R tm i) ) 

(rleq (skew p q tm 1) (delta))))) 

(lemma not -numberp- SIC (rewrite) 

(implies (and (not (numberp i)> 

(SIC p q 0) ) 

(SIC pqi)l 

((use (SlC-necc (i 0) (tm (tm i p q) ) ) ) . 

(enable not-numberp-skew not -numberp-non faulty not- numberp- ln-r) ) ) 

(defn S2 (p i) 

(rlessp (rabs (rdifference (corr p (addl i)) 

(corr p i ) ) ) 

* (big-sigma) ) ) 


(disable s2) 

;; These are the basic assumptions of the theorem 


(axiom A0 (rewrite) 

(rlessp (skew p q (ti 0) 0) (deltaO)}) 


(defn-sk+ some-ok-time (p q i) 

(exists tO 

UOd (rlessp 0 (ribs (rdifference (c p i (rplus tO (d.U*2 q P DM 

(c q i tO) ) ) 


(epsilon) ) ) ) ) 
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(axiom A2 (rewrite) 

(implies (and (nonfaulty p i) 

(nonfaulty q i) 

(SIC p q i) 

(S2 p i> ) 

(and (rleq (rabs (delta2 q p i)) is)) 
(some -ok -time p q i)))) 

(lemma d2-bar-list-listp (rewrite) 

(equal (listp (d2-bar-list n p D) 

(not (zerop n) ) ) ) 

(lemma d2-bar-list-al L-rlessp-big-del ta (rewrite) 
(all-rlessp (map-rabs (d2-bar-list n p U) 
(big-delta) ) 

((enable d2-bar-prop) ) ) 


(disable rmean) 


(1 


emma deltal-rlessp (rewrite) 

(rlessp (rabs (deltal p i)) 
(big-sigma)) 

((use (rlessp-rleq-transitivity2 


(all-rlessp-rleq- transitive 


(x (rabs (deltal p i))5 
(y (rmean (map-rabs (d2-bar-lisc 
(z (big-sigma))) 

(x (big-delta)) (y (big-sigma)) 
(1st (map-rabs (d2-bar-iist (n) 


(n) pi)))) 

p 1)))) 


(mean-bound (1st (map-rabs (d2-bar-list (n) p i))> <x (big-sigma) I) ) 
(enable deltal d2-bar-mean abs-mean listp-map-rabs d2-bar-lisc-listp 

d 2 -bar-list-all-rlessp-big-delta) ) ) 


(lemma theorem2 (rewrite) 

(S2 pi) , , 

((enable rdifference s2 ass ociativity-of-rplus 
deltal-rlessp rabs-reduce 
rplus-czerop) ) ) 


(lemma upper-bound (rewrite) 

(implies (and (in-s tm i) 

(rleq (rabs pi) (rdifference (r) (s)))) 

(rleq (adjusted p i (rplus tm pi)) 

(adjusted p (addl i) ( t i (addl (addl i)>)))) 

((use (rleq-transitive (x pi) 

(y (rplus (r) (rneg (big-sigma) >) ) 

{ z (rplus (c) (deltal p i ) ) ) ) 

(theorem2) 


(abs-ax6 (x pi) 

(y (rdifference (r) (s)))) 

(abs-ax6 (x (rdifference (core p (addl U) 

(corr p i) ) ) 


(y (big-sigma)))) 

(enable rlessp-rleq big-sigma-positive ad justed-cplus 

rneg-greater-rieq rplus-cancel rplus-preserves-rleq-hack 
associativity-of-rplus ti-next in-s in-intervai 
rdifference rleq-reduce adjusted corr-addl s 2 rlessp’-rleqHJ 


(lemma small-shift (rewrite) flt , .... 

(rleq (rneg (r)) (rdifference (corr p (addl i)) (corr pi))) 

((use (theorem2) (sinr)) 

(disable corr theorem2 slnr) 

(enable rabs-rneg-rleq riessp-transitive rdifference 
rlessp-rleq-transitivity2 s2))) 

(lemma ad j-inductlve-step (rewrite) 

(Implies (rleq tO (adjusted pi (ti i))) 

(rleq tO (adjusted p (addl i) (ti (addl i))))) 

((use (small-shift)) 

(enable rleq-transitive associativity-of-rplus rplus-cancel ti-next adjusted 
rleq-reduce rdifference rplus-rneg-rleq-hack) ) ) 



(defn subl-induction tl) 

(if (zerop 1) 
t 

(subl-induction (subl i)))) 

(lemma ad j-always-positive (rewrite) 

(rleq (rplus (tO) (corrO) ) (adjusted p i (ti i))) 

((induct (subl-induction i)) 

(enable ti-zerop adjusted-reduce not -numberp-ad justed 

adjusted-zero rleq-reduce rleq- reflexive ad j -inductive-step) ) ) 

(lemma lower-bound (rewrite) 

(implies (rleq (rational 0 1) pi) 

(rleq (adjusted p 0 (ti 0) ) 

(adjusted p i (rplus (ti i) pi)))) 

((use (ad j-always-positive) ) 

(enable-theory reductions) 

(enable ti-zerop rleq-rplus2 adjusted-zero ad justed-rplus) ) ) 

(lemma Xower-bound2 (rewrite) 

(implies (and (in-s tm i) 

(rleq (rabs pi) (rdifference (r) (s)))) 

(rleq (adjusted p 0 (ti 0)) 

(adjusted p i (rplus tm pi)))) 

((use (lower-bound (pi (rplus tm (rplus (rneg (ti i)) pi)))) 
(rleq-transitive' (x (rational 0 1)) 

(y (rplus tm 

(rplus (rneg (ti i) ) 

(rplus (rneg (r>) (s))))) 

(z (rplus tm (rplus (rneg (ti i)) pi))))) 

(enable rplus-reduce rleq-hack 

associativity-of- rplus rneg-rneg ti-next 
rneg-rplus rdifference in-s in-interval 
rleq-reduce rabs-rneg-rplus) ) ) 

(lemma gc-prop (rewrite) 

(implies (and (good-clock p tO tn) 

(in-interval tm tO tn) ) 

(good-clock p tO tm) ) 

((use (good— clock-necc (t2 (t2 tm tO p) ) (tl (tl tm tO p) ) 

(high tn) (low tO) (p p) ) 

(in-interval-inclusion (low tO) (high tn) (x tm) (y (tl tm tO p) ) ) 

( in-i nterval-inclusion (low tO) (high tn) (x tm) (y (t2 tm tO p) ) ) ) ) ) 

(lemma bounds (rewrite) 

(and (rleq (adjusted p 0 (ti 0) ) 

(adjusted p i (ti (addl i)))) 

(rleq (adjusted p i (ti (addl i))) 

(adjusted p (addl i) (ti (addl (addl !)))>)) 

{ (use (lower-bound2 (pi (rational 01)) (tm (ti (addl 1)))) 

(upper-bound (pi (rational 0 D) (tm (ti (addl i))))) 

(enable ti-in-s rlessp-rdi f ference2 slnr rplus-rzerop 
adjusted-reduce rdifference))) 

(lemma nonfx (rewrite) 

(implies (nonfaulty p (addl i)) 

(nonfaulty p D) 

((use (gc-prop (tO (adjusted p 0 (ti 0))) 

(tn (adjusted p 

(addl i) 

(ti (addl (addl U)))) 

(tm (adjusted p i (ti (addl !)>)))) 

(enable nonfaulty in-interval bounds))) 

(lemma sla-lemma (rewrite) 

(implies (sla (addl i)) 

(sla 1)) 

((use (sla-necc (r (r-1 i)) <i (addl i))J) 

(enable nonfx))) 


(lemma lemma2 (rewrite) 

(implies (and (nonfaulty p (addl i)) 

(rleq (adjusted p i tm) 

(adjusted p (addl i) (ti (addl (addl i) ) ) ) ) 

(rleq (adjusted p 0 (ti 0)) 

(adjusted p i tm) ) 

(rleq (adjusted p i (rplus tm pi)) 

(adjusted p (addl i) (ti (addl (addl i))))) 

(rleq (adjusted p 0 (ti 0)) (adjusted p i (rplus tm pi)))} 
(rleq (rabs (rplus (c p i (rplus tm pi)) 

(rplus (rneg (c p i tm) ) 

(rneg pi) ) } ) 

(rtimes (rational 1 2) (rtimes (rho) (rabs pi))))) 

((use (good-ciock-necc (low (adjusted p 0 (ti 0))) 

(high (adjusted p 

(addl i) 

(ti (addl (addl !)))>) 

(t2 (adjusted p i tm) ) 

(tl (adjusted p 1 (rplus tm pi})))) 

(enable ad justed-rplus associativity-of-rplus nonfaulty c 
rabs-reduce rneg-rplus reduce-rneg in-interval))) 


(lemma lemma2a (rewrite) 

(implies (and (nonfaulty p (addl i) ) : ; - — _ _ __ __ _ - 

(rleq (rabs (rplus pi phi)) (rdifference (r) (s))} 

(rleq (rabs phi) (rdifference (r) (s) ) F 

(in-s tm i ) ) 

(rleq (rabs (rplus (c p i (rplus cm (rplus phi pi))) 

(rplus (rneg (c p i (rplus tm phi))) 

(rneg pi) ) ) ) 

(rtimes (rational 1 2) (rtimes (rho) (rabs pi))))) 

((use (lemma2 (tm (rplus tm phi)))) 

(enable upper-bound lower-bound2 associativi ty-of-rplus 
rabs-commutativity-hack) ) ) 

(lemma lemma2b-step (rewrite) 

(implies (and (rleq (rabs phi) (s) ) 

(rleq (rabs pi) (s) ) ) 

(rleq (rabs (rplus pi phi)) 

(rplus (r) (rneg (s))))) 

((use (rleq-transitlve (x (rabs (rplus pi phi))) 

(y (rplus (rabs pi) (rabs phi))) 

(z (rplus (r) (rneg (s)))))) 

(enable times-3-rleq-rewrite rabs-rplus-rleq s-rleq parameter s-lnt ro) ) ) 

(lemma Iemma2b-step2 (rewrite) 

(Implies (rleq (rabs phi) (s)) 

(rleq (rabs phi) 

(rplus (r) (rneg (s))))) 

({enable times-3-rleq-rewrite2 s-rleq parameters-intro) ) ) 

(lemma lemma2b (rewrite) 

(implies (and (nonfaulty p (addl i)) 

(rleq (tabs phi) (s) ) 

(rleq (rabs pi) (s)) 

(in-s tm i) ) 

(rleq (rabs (rplus (c p i (rplus tm (rplus phi pi))) 

(rplus (rneg (c p i (rplus tm phi))) 

(rneg pi) ) ) ) 

(rtimes (rational 1 2) (rtimes (rho) (rabs pi))))) 

((enable lemma2a lemma2b-step rdifference Iemma2b-step2) ) } 

(lemma lemma2c (rewrite) 

(implies (and (nonfaulty p (addl 1)1 
(rleq (rabs pi) (s)) 

(in-s tm ii) 

(rleq (rabs (rplus (c p i (rplus tm pi)) 

(rplus (rneg (c p i tm} ) rt->±; 

(rneg pi)))) 

(rtimes (rational 1 2) (rtimes (rho) (rabs pi))))) 

((use (lemma2b (phi (rational 0 1)))) 

(enable s-rleq rpius-czerop rplus-reduce 
c-reduce) ) ) 


(lemma lemma2d (rewrite) 

(implies (and (nonfaulty p i) 

(rleq (rational 0 1) pi) 
(rleq pi (r) ) ) 

(rleq (rabs (rplus (c p i 
(rplus 


( (use (good 


(rplus (ti i) pi)) 

(rneg (c p i (ti i) ) ) 

(rneg pi) ) ) ) 

(rtimes (rational 1 2) (rtimes (rho) (rabs pi))))) 
-clock-necc (low (adjusted p 0 (ti 0))) 

(high (adjusted p i (ti (addl i)))) 

(tl (adjusted p i (rplus (ti i) pi))) 

( 1 2 (adjusted pi (ti i))))) 


(enable-theory reductions) 

(enable nonfaulty in-interval lower-bound ad justed-rplu s ti-next 
rplus-cancel adjusted-zero ti-zerop ad j-always-positive 
rleq-rplus2 rleq-ref lexive rleq-transitive c rneg-rplus 
associativity-of-rplus rabs-reduce) ) ) 


(lemma rabs-negate-lemmal-hack (rewrite) 

(equal (rabs (rplus (c p i tO) 

(rplus (delta2 q p i) 

(rneg (c p i 

(rplus tO 

(delta2 q p i))))))) 


( (use 


(rabs (rplus (c p i 

(rplus tO (delta2 q p i))) 

(rplus (rneg (c p i tO)) 

(rneg (delta2 q p i ) > ) > ) > 
(rabs-negate-hack (x (c p i tO)) 

(y (delta2 q p i) ) 

(z (c p i (rplus tO (delta2 q p i)))))))) 


(lemma lemmal (rewrite) 

(implies (and (sic p q i) 

(s2 p i) 

(nonfaulty p (addl i) ) 

(nonfaulty q (addl i))) 

(rlessp (rabs (delta2 q p i)) (big-delta))) 

((use (a2) 

(some-ok-time-necc) 

(slc-necc (tm (tO-1 i p q) ) ) 

(rabs-rplus-rleq2 
(x (rplus (c p i (tO-1 i p q)) 

(rplus (delta2 q p i) 

(rneg (c p i 

(rplus (tO-1 i p q) 

(delta2 q p 1))))))) 

(y (rplus (c q i (tO-1 i p q) ) 

(rneg (c p i (tO-1 i p q) ) ) ) ) 

(z (rplus (c p i 

(rplus (tO-1 i p q) (delta2 q p ill) 

(rneg (c q 1 (tO-1 i p q) ) ) ) ) ) 

(lemma2c (pi (delta2 q p i)) (tm (tO-i i p q) ) ) 
(rlessp-rleq-transitivity2 
(x (rabs (delta2 q p i))) 

(y (rplus (rabs (rplus (c p i (tO-1 i p q) ) 

(rplus (delta2 q p i) 

(rneg (c p i 

(rplus (tO-1 i p q) 

(delta2 q p i))))))) 

(rplus (rabs (rplus (c q i (tO-1 i p q) ) 

(rneg (c p i (tO-1 i p q) ) ) ) ) 

(rabs (rplus (c pi 

(rplus (tO-1 i p q) (delta2 q p i))) 
(rneg (c q i (tO-1 i p q) )))))) ) 


(z (big-delta))) 
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(rlessp-rleq-transit ivi ty 

(x {rplus (rabs (rplus (c p i (tO-1 1 p q) } 

(rplus (delta2 q p i) 

{rneg {c p i 

(rplus (tO-1 1 p q) 

(delta2 q p i) )))))) 

(rplus (rabs (rplus (c q i (tO-1 i p q) ) 

(rneg (c p i (tO-1 i p q) ) ) ) ) 

(rabs (rplus (c p 1 

(rplus (tO-1 i pql (delta! q p 1))) 
(rneg (c q i (tO-1 i p q) )))>)) ) 

(y (rplus (delta) 

(rplus (epsilon) 

{rtimes (rational 1 2) 

(rt imes (rho) (s) ) ) ) ) ) 

(z (big-delta) ) ) 

(rleq-transitive 

(x (rabs (rplus (c p i (tO-1 1 p q) ) 

(rplus (delta2 q p i) 

(rneg (c p 1 

(rplus (tO-1 t p q) 

<delta2 q p 1) )))))) ) 

(y (rtimes (rational 1 2) 

(rtimes (rho) 

(rabs (delta2 q p 1 ) ) ) ) ) 

(z (rtimes (rational 1 2) (rtimes (rho) (s)))})) 

(enable rabs-rdif ference rleq-rtimes-hack rho-rleqO rlessp-rleq nonfx 
inrs skew rdifference associativity-of-rplus 
parameters-int ro rleq- rlessp-hack rabs -negate- lemmal -hack) 
(enable-theory reductions))) 


(lemma lemma3 (rewrite) 

(implies (and (sic p q i) 

(s2 p i) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl i)) 

(in-s tin i)) 

(rlessp (rabs (rplus (c p i (rplus tm (delta2 qpl)H 
(rneg (c q i tm) ) ) ) 

(rplus (epsilon) 

(rtimes (rho) (s))))) 

( (use (a2) 

(some-ok-time-necc) 

(rearrange-alt 

(x (c p i (rplus tm (delta2 q p i)))) 

(y (c q i tm) ) -V -- - - - 

(u (C p i - • ^ 

(rplus (tO-1 i p q) (delta2 q p i}))) 

(v (rplus cm (rneg (tO-1 i p q) ) ) ) 

(w (c q i (tO-1 i p q) ) ) ) 

(lemma2c 

cp q) 

(tm (tO-1 i p q) ) - - - — - 

(pi (rplus tm (rneg (tO-1 i p q) ) ) ) ) 

(lemma 2b 

(tm (tO-1 i p q) ) 

(phi. (delta? q p i)) 

(pi (rplus tm (rneg (tO-1 i p q) ) 5 ) ) 

(rlessp-rleq-t ransitivity2 

(x (rabs (rplus (c p 1 (rplus tm (delta2 q p i))) 

(rneg (c q i tm) ) ) 1 ) = - ~ -“r =- : : - = — 

(y (rplus (rabs (rplus (c p i (rplus tm (deita2 qp U)> 

(rplus (rneg (c p l - — : 

(rplus (delta2 q p JLJ JtO-1 
(rplus (rneg tm) (tO-l 1 p q)nn 


lpq))H 


(rplus (rabs (rplus (c p i- 

(rplus (delta2 q p i) 


(tO-1 1 p q})) 


(rneg (c q i (tO-1 1 p q) ) ) ) ) 


(rabs (rplus (c q i tm) 

(rplus (rneg (c q i (td-1 l p q))l __ 
(rplus (rneg tm) (tO-1 i p q) )))))) ) 


(z (rplus (epsilon) 

( rtimes (rho) (s) ) ) ) ) 


i 
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(rleq-transitive 

(x (rplus (rabs (rplus (c p i (rplus tm (delta2 q p i))) 

(rplus {rneg (c p i 

(rplus <delta2 q p 1) (tO-1 i p q) ) ) ) 
(rplus {rneg tm) (tO-1 1 p q) ) ) ) ) 

(rabs (rplus (c q t tm) 

(rplus (rneg (c q i (tO-l i p q) ) ) 

(rplus (rneg tm) (tO-1 i p q) ) ) ) ) ) ) 

(y (rtlmes (rho) 

' (rabs (rplus tm (rneg (tO-1 i p q) ) ) ) ) > 

(z (rtimes (rho) (s))))) 

(enable-theory reductions) 

(enable in-s-lemma2 rho-rleqO rlessp-rplus-triple rplus-reduce 

rneg-rneg rneg-rplus in-s-lemma2 c-reduce nonfx cdifference 
c-commutatlvity r lessp-transl tlve associativity-of-cplus 
rho-rleqO rlessp-rleq-hack rleq-rtimes-hack rleq-half-rplus) ) ) 

(lemma sublemmal (rewrite) 

(implies (and (sic p r i) 

(s2 p i) 

(nonfaulty p (addl i)) 

(nonfaulty r (addl i))) 

(equal (d2-bar r p i) 

(delta2 r p i ) ) ) 

( (use (lemmal (q r) ) ) 

(enable d2-bar delta2-incro) ) ) 

(lemma lemma2x (rewrite) 

(implies (and (sic p r i) 

(s2 p 1) 

(nonfaulty p (addl i ) ) 

■ (nonfaulty r (addl i>) 

1 (in-s tm i) ) 

(rleq (rabs (rplus (c p i (rplus tm (delta2 rpijl) 

(rplus (rneg (c p i tm) ) 

(rneg (delta2 r p 1))))) 

i (rtimes (rational 1 2) (rtimes (rho) (big-delta))))) 

] {(use (lemma2c (pi (delta2 r p i))) 

i (lemmal (q r) ) 

(rleq-transitive 

(x (rabs (rplus (c p i (rplus tm (delta2 r p i))) 

(rplus (rneg (c p i tm) ) 

(rneg (delta2 r p 1)))))) 

(y (rtimes (rational 12) 

(rtimes (rho) (rabs (delta2 r p 1))))) 

(z (rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))) 

(enable rleq-rtimes-hack rho-rleqO rlessp-rleq nonfx a2 
rleq-rtimes-pos2 rleq-transitive) ) ) 

(lemma lemma4-versionl (rewrite) 

(implies (and (sic q r i) 

(sic p q i) 

(sic p r i) 

<s2 p i) 

(s2 q i) 

(s2 r i) 

(nonfaulty p (addl i)) 

" (nonfaulty q (addl i)) 

(nonfaulty r (addl i)) 

(in-s tm i) ) 

(rlessp (rabs (rplus (rplus (c p i tm) 

(d2-bar r p i) ) 

(rplus (rneg (c q i tm) ) 

(rneg (d2-bar r q i) > ) > ) 

(rplus (rtimes (rational 1 2) (rtimes (rho) (big-delta))) 

(rplus (rtimes (rational 1 2) (rtimes (rho) (big-delta))) 
(rplus (rplus (epsilon) (rtimes (rho) (s) ) ) 

(rplus (epsilon) (rtimes (rho) (s)))))))) 

((use (rearrange3 

(x (rplus (c p i tm) (d2-bar r p i))) 

(y (rplus (c q i tm) (d2-bar rqi))) 

(u (c q i (rplus tm (d2-bar r q i)})) 

(v (c p i (rplus tm (d2-bar r p U))) 

(w (c r i tm) ) ) ) 
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(enable-cheory reductions) 

(enable sublemmal lemma! Iemma2x rdif.erence rlessp-rleq-cransitivity2 

clessp-rleq clessp-rplus-paic rneg-rplus rleq-rlessp-rplus-palr) ) ) 


( lemma 


lemma4-hack (rewrice) . _ . _ . 

(equal (rplus z (rplus z (rplus x (rplus y (rplus x y> ) ) ) ) 
(rtimes (rational 2 1) (rpius x (rplus y z)))) 
((enable rtimes-addl rtimes-rzerop commutativity-of-rplus 

commutativity2-of-rplus) ) ) 


(lemma lemma4 (rewrite) 

(implies (and (sic q r i) 

(sic p q i) 

(sic p r i) 

(s2 p 1) 

(s2 q i) 

(s2 r i) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl i)) 

(nonfaulty r (addl i)) 

(in-s cm D) 

(rlessp (rabs (rplus (c p i tm) 

(rplus (d2-bar r p t) 

(rplus (rneg (c q i tm) ) 

(rneg (d2-bar r q i))J))) 

(rtlmes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtlmes (rho) (s)) 

(rtlmes (rational 1 2) 

(rtimes (rho) (big-delta)))))))) 

{(use (lemma4-verslonl) ) 

(enable associativity-of-rplus iemma4-hack) ) ) 


(lemma lemma5 (rewrite) 

(implies (and (sic p q 1) 

(nonfaulty p (add! I)) 

(nonfaulty q (addl D) 

(in-s tm i ) ) 

(rlessp (rabs (rplus (c p i tm) 

(rplus (d2-bar r p i) 

(rplus (rneg (c q 1 tm) )_ 

(rneg (d2-bar r q l)))))) 

(rplus (delta) (rtimes (rational 2 1) (big-delta))))) 

((use (rearrange4 (a (c p i tm) ) 

(b (c q i tm)) ” - - - - 

(x (d2-bar r p 1) ) 

(y (d2-bar r q i) ) ) 


(slc-necc) ) 

(enable rdifference associativity-of-rplus rneg-rplus.- 
rlessp-rleq-transitivity2 rleq-rlessp-rplus-palr 
rlessp-times2 d2-bar-prop) ) ) 


skew nonfx inrs 


(lemma rleq-rplus-hack3 (rewrite) 

(equal (rleq (rplus x (rplus y z)) (rplus y w) ) 

(rleq (rplus x z) (reduce w) ) ) 

((enable rleq requal))) 

(lemma sublemma-a (rewrite) 

(implies (and (nonfaulty p i) =-■=■■=■ 

(nonfaulty q 1) 

(in-r tm i) ) 

(rleq (skew p q tm i) 

(rplus (skew p q (ti 1) i) 

(rtimes (rho) (r) ) ) ) ) 

((use (rearrange-alt (x (c p i tm) } 

(y (c q 1 tm) ) .. 

(u (c p 1 (ti iiii-ivv ^ *r,™- 

(v (rplus tm (rneg (ti i) )) ) >7^:; 

(w (c q i (tl 1) ) ) ) - 

<lemma2d (pi (rplus cm (rneg (ti IT)!)) 

(Iemma2d (p q) (pi (rplus cm (rneg (ti i>>)))) 
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(enable-theory reductions) 

(enable skew rdifference rneg-rplus c-reduce ti-next rabs-positive2 
rplus- rleq- rewrite rplus-rleq-rewrite2 rleq-rtimes-hack in-r 
in-interval rho-rleqO rleq-transitive rleq-rplus-hack3 rleq-hal f-rplus 
rleq-rtimes-hack r pi u s - r 1 eq- rewrite) j ) 

(lemma deltal-rleq-s (rewrite) 

(rlessp (rabs (deltal p i)) (a)) 

((use (theorem2)) 

(enable s2 rdifference corr-addl associativity-of-rplus 

rabs- reduce rlessp-t ransltive rleq-rlessp-relation) ) ) 

(lemma sublemma2 (rewrite) 

(equal (skew p q tm (addl i)) 

(rabs (rplus (c p i (rplus tm (deltal pi))) 

(rneg (c q i (rplus tm (deltal q i))))))) 

((enable skew rdifference clock-prop))) 

(lemma lemma6 (rewrite) 

(implies (and (nonfaulty p (addl U) 

(nonfaulty q (addl i)) 

(in-r tm (addl i) ) ) 

(rleq (skew p q tm (addl i)) 

(rplus (rabs (rplus (c p 1 (ti (addl i))) 

(rplus (deltal p i) 

(rplus (rneg (c q i (ti (addl i) ) ) ) 

(rneg (deltal q 1)))))) 

(rplus (rtimes (rho) < r ) ) 

(rtimes (rho) (big-sigma)))))) 

((use (sublemma-a (i (addl i))) 

(rearrange 
(x (c p i 

(rplus (ti (addl i)) (de,tal p i)))) 

(y (c q i 

(rplus (ti (addl i)) (deltal q i)))) 

(u (c p i (ti (addl i ) ) ) ) 

(v (deltal p i) ) 

(w (c q t (ti (addl i ) ) ) ) 

(z (deltal q 1 ) ) ) 

(lemma2c (tm (ti (addl i))) (pi (deltal pi))) 

(lemma2c (tm (ti (addl i))) (pi (deltal q i)) (p q) ) ) 

(disable correctness-of-cancel-rplus-rleq) 

(enable rdifference rneg- rplus sublemna2 rplus-rleq-rlessp-cancel2 rleq-transitive 
rplus-rleq-rlessp-cancel deltal-rleq-s ti-in-s rleq-rtimes-pos2 rlessp-rleq 
deltal-rlessp rho-rleqO rleq-rtimes-hack rleq-hal f-rplus) ) ) 


(defn 11-term-list (p q i r) 

;; This generates the list of terms to which the mean is applied in lemma ll. 

;; Notice that they don't have the absolute-value applied. 

(if Uerop r) 

- nil 

(append (11-term-list p q i (subi r)) 

(list (rplus (c p i (ti (addl i))) 

(rplus (d2-bar r p i) 

(rplus (rneg (c q i (ti (addl 1)))) 

(meg (d2-bar r q i)) ))))))) 

(lemma length-ll-term-list (rewrite) 

(equal (length (11-term-list p q i r)) 

(fix r> ) 

((enable 11-term-list))) 

(lemma 11-term-list-rewrite (rewrite) 

(equal (rsum (11-term-list p q i r) ) 

4 rplus (rtimes-nat r (c p i (ti (addl i)))) 

(rplus (rsum (d2-bar-list r p i)> 

(rplus (rneg (rtimes-nat r (c q i (ti (addl i))))) 
(rneg (rsum (d2-bar-list r q 1))))))) 
({enable 11-term-list d2-bar-list rsum rtimes-nat-zerop rtimes-nat-addl 
associativity-of-cplus rneg-rplus 
reduce-rplus rsum-append rpius-rzerop 
commutativity-of- rplus reduce-reduce rplus- reduce) ) ) 


1 .*>4 



(lemma 11 (rewrite) 

(rleq (rabs (rplus (c p 1 (tl (addl i))) 

(rplus (deltal p 1) 

(rplus (rneg (c q i (ti (addl i)))) 

(rnag (deltal q i)))))) 

(rmean (map-rabs (ll-term-list p q 1 (n) ) ) ) ) 

((use (abs-mean (1st (ll-term-list p q i (n))))) 

(enable rleq-transitive rmean 11-term-list-rewrite length-ll-term-list 
rquotient-nat-rplus rquot ienc-nat-rtimes-nat rplus- reduce 
rneg-rtimes-nat deltal d2-bar-msan rmean 
length-d2-bar-llst rneg-rquotienc-nat rleq-ref lexive) ) ) 

(lemma 12 (rewrite) 

(rleq (rabs (rplus (c p i (ti (addl 1 ) ) ) 

(rplus (deltal p i) 

(rplus (rneg (c q i (ti (addl i)))) 

(rneg (deltal q i))}))) 

(rquotient-nat (rplus (rsum (firstn (map-rabs (ll-term-list p q i (n) ) ) (ra) H 

(rsum (restn (map-rabs (ll-term-list p q i (n))) (m) ) ) ) 

(ft))) 

((use (ID) 

(enable rplus-rsum f irstn-append-restn rmean 

length-map-rabs length-ll-term-list) ) } 

(lemma bound-faulty (rewrite) 

(implies (and (S1A (addl i)) 

(SIC p q i) 

(not (zerop r) ) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl 1))) 

(rlessp (rabs (rplus (c p i (ti (addl i))) 

(rplus (d2-bar r p i) 

(rplus (rneg (c q i (ti (addl l)))) 

(rneg (d2-bar r q l) ) ) > ) ) 

(rplus (delta) (rtimes (rational 2 1) (big-delta))))) 

((enable lemmaS ti-in-s) ) ) 

(defn firstn-ll-induction (m n) 

(if (zerop n) 
t 

(if (zerop m) 
t 

(if (equal m n) 
t 

(firstn- 11 -induct ion m (subl n)T7Tn~ 

(lemma firstn-ll-term-list (rewrite) 

(implies (leq m n) 

(equal (Hrstn^ (map-rabs (ll- term -li st p q i n) ) m) 

(map-rabs (ll-term-list p q 1 m) ) ) ) 

((induct (firstn-ll-induction m n) ) 

(enable map-rabs-append firstn-n plist-map-rabs 
length-map-rabs length-11 -term-1 1st 
firstn-append-lessp) ) ) 

(lemma 13-sublemma (rewrite) 

(implies (and (leq m (n) ) 

(S1A (addl D) 

(SIC p q 1) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl 1 ) ) 

(not (zerop m) ) ) 

(all-rlessp (firstn (map-rabs (ll-term-list pq i (n))) m) 

(rplus (delta) 

(rtimes (rational 2 1) (big-delta))))) 

((induct (subl-induction m) ) 

(enable all-rlessp firstn map-rabs ll-term-list bound-faulty 

map-rabs-append firstn-ll-term-list all-rlessp-append) ) ) 


39 


Uempta 13 (rewrite) 

(implies (and (S1A (addl i) ) 

(SIC p q i> 

(nonfaulty p (addl i) ) 

(nonfaulty q (addl U) 

(lessp m (n) ) ) 

(rleq (rsum (firstn (map-rabs (11-term-llst p q i (n))) m) ) 

(rtimes-nat2 (rplus (delta) (rtimes (rational 2 1) (big— delta) ) ) 
m))} 

((use (sum-bound (1st (map— rabs (11-term-list pqim))) 

(x (rplus (delta) 

(rtimes (rational 2 1) 

(big-delta))))) 

(13-sublemma)) 

(enable firstn rsum rtimes-nat-rtimes-nac2 rtimes— nat—zerop 

rleq-ref lexive firstn-ll-term-list rtimes-nat-rtimes-nat2 
length -map- rabs lengch-ll-term-Iist rlessp-rleq listp-map-rabs) ) ) 

(defn-sk+ theoreml-one-step (i) 

(forall (p q) 

(implies (S1A i) 

(SIC p q i) ) ) ) 

(lemma bound-nonfaulty (rewrite) 

(implies (and (S1A (addl i)) 

(SIC p q i) 

(leq (addl (m) ) r) 

(leq r (n) ) 

(nonfaulty p (addl i) ) 

(nonfaulty q (addl i) ) 

(theoreml-one-step U) 

(rlessp (rabs (rplus (c p i (ti (addl i) ) ) 

(rplus (d2-bar r p i) 

(rplus (rneg (c q i (ti (addl i)))) 

(meg (d2-bar r q i ) ) ) ) ) ) 

(rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus {rtimes (rho) (s)) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))))) 

((use (SlA-necc (i (addl i))) 

(theoreml-one-step-necc (p q) (q r) ) 

(theoreml-one-step-necc (q r))) 

(enable lemma4 theorem2 SlA-lemma ti-in-s))) 

(defn 14-term-list (p q i m r) 

(if (leq m r) 

(cons (rabs (rplus (c p i (ti (addl i))) 

(rplus (d2-bar m p i) 

(rplus (rneg (c q i (ti (addl i)))) 

(rneg (d2-bar ra q i) ) ) ) ) ) 

(14-term-list p q i (addl m) r) ) 

nil) 

( (lessp (difference (addl r) m) ) ) ) 

(lemma 14-term-strip-last (rewrite) 

(implies (and (leq m r) 

(not (zerop r) ) ) 

(equal (14-term-list p q i m r) 

(append 

(14-term-list pqim (subl r) ) 

(list (rabs (rplus (c p i (ti (addl DM 
(rplus (d2-bar r p i) 

(rplus (rneg (c q i (ti (addl DM) 

(rneg (d2-bar r q DMMMMM 

(lemma length-14-term-list-f roml (rewrite) 

(equal (length (14-term-list p q i 1 r)) (fix r) ) 

((induct (subl-induction r) ) 

(enable 14-term-strip-last))) 
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(lemma length-1 4-term- list (rewrite) 

(equal (length (14-term-list p q i (addl m) r) } 

(difference r m) ) 

{{enable length-14-term-li st-froml 14-term-st rip-last) ) ) 

(defn 11-14-relation-induction (m n) 

(if (not (lessp m n) ) 

(if (equal m n) 
t 

(if (lessp n m) t f) ) 

(11-14-relation-induction m (subl n) ) ) ) 

(lemma 11 - 14 -terra-lists-relation (rewrite) 

(implies (and (not (zerop n) ) 

(leq m n) ) 

(equal (restn (map-rabs (11-term-list p q i n) ) m) 
(14-term-list p q i (addl m) n) ) ) 

{(induct (11-14-relation-induction m n) ) 

(enable restn-n plistp-map-rabs length-map-rabs length-ll-term-list 
restn-append map-rabs-append restn-1 14-term-strip-last))) 

(lemma listp-14-term-list (rewrite) 

(implies (and (lessp m n) 

(not (zerop n) ) ) 

(listp (14-term-list p q i (addl m) n) ) ) 

((enable 14-term-strip-last))) 


(lemma 14 -sublemma (rewrite) 

(implies (and (leq r (n) ) 

(leq (addl (m) ) r) 

(S1A (addl i) ) 

(SIC p q i) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl 1 ) > 

(theoceml-one-step i) ) 

(all-rlessp (14-term-list p q i r (n) ) 

(rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) (s)) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))})) 

((enable bound-nonfaulty) ) ) 


(lemma 14-versionl (rewrite) 

(implies (and (lessp m (n) ) 

(leq (m) m) 

(S1A (addl U) 

(SIC p q i) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl i)) 

(theoreml-one-step i}) 

(rleq (rsum {14-term-iist p q i (addl m) (n) ) ) 

(rtimes-nat2 (rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) (s) ) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta) )))) > 


(difference (n) m) ) ) ) 

{(use (sum-bound (1st (14-term-list p q i (addl m) (n))) 

(x (rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) (s) ) 

{rtimes (rational 1 2) 

(rtimes (rho) (big-delta))))))))) 

(enable rtimes-nat-rtimes-nat2 rlessp-rleq 

listp- 14 -term- list length-14-term-list 14-sublemma) ) ) 


(lemma 14 (rewrite) 

(implies (and (S1A (addl i) ) 

(SIC p q i) 

(nonfaulty p (addl i)) 
(nonfaulty q (addl i)) 
(theoceml-one-step U) 
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(rleq (rsum (rescn (map-rabs (11-term-list p q i (n> ) ) (m ) ) ) 

(rtimes-nat2 (rtimes {rational 21) 

(rplus (epsilon) 

(rplus {rtimes (rho) (s)) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))) 

(difference (n) (m) ) ) ) ) 

((enable 11 - 14 -term-lists-relat ion 14-versionl) ) ) 

(lemma IS (rewrite) 

(implies (and (SlA (addl i)) 

(SIC p q i> 

(nonfaulty p (addl i)) 

(nonfaulty q (addl i) ) 

(theoreml-one-step U) 

(rleq (rabs (rplus (c p i {ti (addl i))) 

(rplus (deltal p i) 

(rplus (rneg (c q i (ti (addl i)))) 

(rneg (deltal q i)))))) 

(rquot ient-nat 

(rplus (rtimes-nat2 

(rplus (delta) (rtimes (rational 2 l) (big-delta))) (m) ) 
(rtimes-nat2 

(rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) (s)) 

(rtimes (rational l 2) 

(rtimes (rho) (big-delta)))))) 

(difference (n) (m) ) ) ) 

(n)))) 

( (use (div-mon2 

(x (rsum (append (firstn (map-rabs (11-term-list p q i (n))) (m) ) 

(restn (map-rabs (11-tecm-iist p q i in))) (ra) ) ) ) ) 

(y (rplus 

(rtimes-nat2 (rplus (delta) (rtimes (rational 2 1) (big-delta))) (m) ) 
(rtimes-nat2 (rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) is)) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))) 

(difference (n) (m) ) ) ) ) 

( z (n))) 

(rleq-transitive 

(x (rabs (rplus (c p i (ti (addl i))) 

(rplus (deltal p i) 

(rplus (meg (c q 1 (ti (addl i)))) 

(rneg (deltal q i))))))) 

(y (rquotient-nat 

(rsum (append (firstn (map-rabs (11-term-list p q 1 (n))) (m) ) 

(restn (map-rabs (11-term-list p q i (n))) (m) ) ) ) 

<n) ) ) 

(2 (rquotient-nat 
(rplus 

(rtimes-nat2 (rplus (delta) (rtimes (rational 2 1) (big-delta))) (ra) ) 
(rtimes-nat2 (rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) (s)) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))) 

(difference (n) (m) ) ) ) 

(n>)>>) 

(enable rleq-transitive rsum-append rleq-rplus-pair 12 13 14))) 

(lemma culmination (rewrite) 

(implies (and (SlA (addl i)) 

(SIC p q i) 

(nonfaulty p (addl i)) 

(nonfaulty q (addl U) 

(in-r tm (addl 1) ) 

(theoreml-one-step i)) 
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( (use 


(rleq (skew p q cm (addl U) 

(rplus (rquotienc-nat 
(rplus 
(rtimes-nat 
(m) (rplus (delta) 

(rtimes (rational 2 1) (big-delta)))) 

(rtimes-nat 

(difference (n) (m) ) 

(rtimes (rational 2 1) 

(rplus (epsilon) 

(rplus (rtimes (rho) (s)) 

(rtimes (rational l 2) 

(rtimes (rho) (big-delta) ))))))) 

(n) ) 

(rplus (rtimes (rho) (r) ) 

(rtimes (rho) (big-sigma)))))) 


(15) 

(rleq- transit ive 
(x (skew p q tm (addl i ) ) ) 

(y (rplus (rabs (rplus (c p i (ti (addl i))) 

(rplus (deltal p i) 

(rplus 

(rneg (c q i (ti (addl i)))) 

(meg (deltal q 1)))))) 

(rplus (rtimes (rho) (r) ) (rtimes (rho) (big-sigma))))) 
(z (rplus { rquotient -nat 

(rplus (rtimes-nat 

(m) (rplus (delta) 

(rtimes (rational 2 1) 

(big-delta) ) 5 ) 


(rtimes-nat 

(difference (n) (m) ) 

(rtimes (rational 2 1) ■ 

(rplus (epsilon) 

(rplus (rtimes (rho) (s) ) 

(rtimes (rational 1 2) 

(rtimes (rho) (big-delta)))))))) 


(rplus (rtimes (rho) (r) ) (rtimes (rho) (big-sigma))))))) 

(enable rlessp-rleq lemma6 rleq-rplus-pair rleq-ref lexive rtimes-nat-rtimes-nat2) ) ) 


(lemma theoreml -basis (rewrite) 

(SIC p q 05 

((use (sublemma-a (i 0) (tm (tm 0 p q) ) ) 

(rleq-transitive (x (skew p q (tm 0 p q) 0)) 

(y (rplus (skew p q (ti 0) 0) (rtimes (rho) (r)))) 
(z (delta) ) ) 

(aO) (c5) ) 

(enable SIC-suff rlessp-rleq rlessp-rleq-transitive3) ) ) 


(lemma theoreml-ind-stepO (rewrite) 

(implies (and (SlA (addl U) 

(SIC p q i) 

(theoreml-one-step i) ) 

(SIC p q (addl i) ) ) 

((use (rearrange-delta (delta (delta)) 

(big-sigma (big-sigma)) 

(r (r) ) 

(n (n) ) 

(big-delta (big-delta)) 

(m (m) ) 

(s is)) 

(rho (rho)) 

(epsilon (epsilon))) 

(c$) (culmination (tm (tm (addl i) p q> ) ) ) 
(enable rleq-transitive) ) ) 

(lemma theoreml-ind-step (rewrite) 

(IMPLIES (AND (NOT (2EROP I)) 

(THEOREM1 -ONE-STEP (SUBl I))) 
(THEOREMl-ONE-STE? I)) 



((use (theoreml-ind-stepO (i (subl i)) (p (p U) (q <q i>)) 

(theoreml-one-step-necc (i (subl U) (p (p i)) (q (q i))) 
(theoreml-one-step-suf f) ) 

(enable SlA-lemma) 

(disable theoreml-one-step-suff ) ) ) 

(lemma theoreral-versionl (rewrite) 

(theoreral-one-step i) 

((Induct (subl -induct ion U) 

(enable theoreml -basis not-numberp-SlC theoreml-iod-step) ) ) 

(lemma theoreml (rewrite) 

(implies (S1A i) 

(SIC p q i) ) 

( (use (theoreml -versionl) 

(theoreml-one-step-necc) ) ) ) 
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